The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/netinet6/ipsec.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*      $NetBSD: ipsec.c,v 1.95.2.2 2005/03/16 22:59:06 tron Exp $      */
    2 /*      $KAME: ipsec.c,v 1.136 2002/05/19 00:36:39 itojun Exp $ */
    3 
    4 /*
    5  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
    6  * All rights reserved.
    7  *
    8  * Redistribution and use in source and binary forms, with or without
    9  * modification, are permitted provided that the following conditions
   10  * are met:
   11  * 1. Redistributions of source code must retain the above copyright
   12  *    notice, this list of conditions and the following disclaimer.
   13  * 2. Redistributions in binary form must reproduce the above copyright
   14  *    notice, this list of conditions and the following disclaimer in the
   15  *    documentation and/or other materials provided with the distribution.
   16  * 3. Neither the name of the project nor the names of its contributors
   17  *    may be used to endorse or promote products derived from this software
   18  *    without specific prior written permission.
   19  *
   20  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
   21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
   24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   30  * SUCH DAMAGE.
   31  */
   32 
   33 /*
   34  * IPsec controller part.
   35  */
   36 
   37 #include <sys/cdefs.h>
   38 __KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.95.2.2 2005/03/16 22:59:06 tron Exp $");
   39 
   40 #include "opt_inet.h"
   41 #include "opt_ipsec.h"
   42 
   43 #include <sys/param.h>
   44 #include <sys/systm.h>
   45 #include <sys/malloc.h>
   46 #include <sys/mbuf.h>
   47 #include <sys/domain.h>
   48 #include <sys/protosw.h>
   49 #include <sys/socket.h>
   50 #include <sys/socketvar.h>
   51 #include <sys/errno.h>
   52 #include <sys/time.h>
   53 #include <sys/kernel.h>
   54 #include <sys/syslog.h>
   55 #include <sys/sysctl.h>
   56 
   57 #include <net/if.h>
   58 #include <net/route.h>
   59 
   60 #include <netinet/in.h>
   61 #include <netinet/in_systm.h>
   62 #include <netinet/ip.h>
   63 #include <netinet/ip_var.h>
   64 #include <netinet/in_var.h>
   65 #include <netinet/udp.h>
   66 #include <netinet/udp_var.h>
   67 #include <netinet/ip_ecn.h>
   68 #include <netinet/tcp.h>
   69 #include <netinet/udp.h>
   70 
   71 #include <netinet/ip6.h>
   72 #ifdef INET6
   73 #include <netinet6/ip6_var.h>
   74 #endif
   75 #include <netinet/in_pcb.h>
   76 #ifdef INET6
   77 #include <netinet6/in6_pcb.h>
   78 #include <netinet/icmp6.h>
   79 #endif
   80 
   81 #include <netinet6/ipsec.h>
   82 #include <netinet6/ah.h>
   83 #ifdef IPSEC_ESP
   84 #include <netinet6/esp.h>
   85 #endif
   86 #include <netinet6/ipcomp.h>
   87 #include <netkey/key.h>
   88 #include <netkey/keydb.h>
   89 #include <netkey/key_debug.h>
   90 
   91 #include <net/net_osdep.h>
   92 
   93 #ifdef IPSEC_DEBUG
   94 int ipsec_debug = 1;
   95 #else
   96 int ipsec_debug = 0;
   97 #endif
   98 
   99 struct ipsecstat ipsecstat;
  100 int ip4_ah_cleartos = 1;
  101 int ip4_ah_offsetmask = 0;      /* maybe IP_DF? */
  102 int ip4_ipsec_dfbit = 0;        /* DF bit on encap. 0: clear 1: set 2: copy */
  103 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
  104 int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
  105 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
  106 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
  107 struct secpolicy *ip4_def_policy;
  108 int ip4_ipsec_ecn = 0;          /* ECN ignore(-1)/forbidden(0)/allowed(1) */
  109 
  110 #ifdef INET6
  111 struct ipsecstat ipsec6stat;
  112 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
  113 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
  114 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
  115 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
  116 struct secpolicy *ip6_def_policy;
  117 int ip6_ipsec_ecn = 0;          /* ECN ignore(-1)/forbidden(0)/allowed(1) */
  118 
  119 #endif /* INET6 */
  120 
  121 u_int ipsec_spdgen = 1;         /* SPD generation # */
  122 
  123 #ifdef SADB_X_EXT_TAG
  124 static struct pf_tag *ipsec_get_tag __P((struct mbuf *));
  125 #endif
  126 static struct secpolicy *ipsec_checkpcbcache __P((struct mbuf *,
  127         struct inpcbpolicy *, int));
  128 static int ipsec_fillpcbcache __P((struct inpcbpolicy *, struct mbuf *,
  129         struct secpolicy *, int));
  130 static int ipsec_invalpcbcache __P((struct inpcbpolicy *, int));
  131 static int ipsec_setspidx_mbuf
  132         __P((struct secpolicyindex *, int, struct mbuf *, int));
  133 static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int));
  134 static void ipsec4_get_ulp __P((struct mbuf *, struct secpolicyindex *, int));
  135 static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
  136 #ifdef INET6
  137 static void ipsec6_get_ulp __P((struct mbuf *, struct secpolicyindex *, int));
  138 static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
  139 #endif
  140 static struct inpcbpolicy *ipsec_newpcbpolicy __P((void));
  141 static void ipsec_delpcbpolicy __P((struct inpcbpolicy *));
  142 #if 0
  143 static int ipsec_deepcopy_pcbpolicy __P((struct inpcbpolicy *));
  144 #endif
  145 static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *));
  146 static int ipsec_set_policy
  147         __P((struct secpolicy **, int, caddr_t, size_t, int));
  148 static int ipsec_get_policy __P((struct secpolicy *, struct mbuf **));
  149 static void vshiftl __P((unsigned char *, int, int));
  150 static int ipsec_in_reject __P((struct secpolicy *, struct mbuf *));
  151 static size_t ipsec_hdrsiz __P((struct secpolicy *));
  152 #ifdef INET
  153 static struct mbuf *ipsec4_splithdr __P((struct mbuf *));
  154 #endif
  155 #ifdef INET6
  156 static struct mbuf *ipsec6_splithdr __P((struct mbuf *));
  157 #endif
  158 #ifdef INET
  159 static int ipsec4_encapsulate __P((struct mbuf *, struct secasvar *));
  160 #endif
  161 #ifdef INET6
  162 static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *));
  163 #endif
  164 static struct m_tag *ipsec_addaux __P((struct mbuf *));
  165 static struct m_tag *ipsec_findaux __P((struct mbuf *));
  166 static void ipsec_optaux __P((struct mbuf *, struct m_tag *));
  167 #ifdef INET
  168 static int ipsec4_checksa __P((struct ipsecrequest *,
  169         struct ipsec_output_state *));
  170 #endif
  171 #ifdef INET6
  172 static int ipsec6_checksa __P((struct ipsecrequest *,
  173         struct ipsec_output_state *, int));
  174 #endif
  175 
  176 /*
  177  * try to validate and use cached policy on a pcb.
  178  */
  179 static struct secpolicy *
  180 ipsec_checkpcbcache(m, pcbsp, dir)
  181         struct mbuf *m;
  182         struct inpcbpolicy *pcbsp;
  183         int dir;
  184 {
  185         struct secpolicyindex spidx;
  186 
  187         switch (dir) {
  188         case IPSEC_DIR_INBOUND:
  189         case IPSEC_DIR_OUTBOUND:
  190         case IPSEC_DIR_ANY:
  191                 break;
  192         default:
  193                 return NULL;
  194         }
  195 #ifdef DIAGNOSTIC
  196         if (dir >= sizeof(pcbsp->sp_cache)/sizeof(pcbsp->sp_cache[0]))
  197                 panic("dir too big in ipsec_checkpcbcache");
  198 #endif
  199         /* SPD table change invalidates all the caches */
  200         if (ipsec_spdgen != pcbsp->sp_cache[dir].cachegen) {
  201                 ipsec_invalpcbcache(pcbsp, dir);
  202                 return NULL;
  203         }
  204         if (!pcbsp->sp_cache[dir].cachesp)
  205                 return NULL;
  206         if (pcbsp->sp_cache[dir].cachesp->state != IPSEC_SPSTATE_ALIVE) {
  207                 ipsec_invalpcbcache(pcbsp, dir);
  208                 return NULL;
  209         }
  210         if ((pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) == 0) {
  211                 if (!pcbsp->sp_cache[dir].cachesp)
  212                         return NULL;
  213                 if (ipsec_setspidx(m, &spidx, 1) != 0)
  214                         return NULL;
  215                 if (bcmp(&pcbsp->sp_cache[dir].cacheidx, &spidx,
  216                          sizeof(spidx))) {
  217                         if (!pcbsp->sp_cache[dir].cachesp->spidx ||
  218                             !key_cmpspidx_withmask(pcbsp->sp_cache[dir].cachesp->spidx,
  219                             &spidx))
  220                                 return NULL;
  221                         pcbsp->sp_cache[dir].cacheidx = spidx;
  222                 }
  223         } else {
  224                 /*
  225                  * The pcb is connected, and the L4 code is sure that:
  226                  * - outgoing side uses inp_[lf]addr
  227                  * - incoming side looks up policy after inpcb lookup
  228                  * and address pair is known to be stable.  We do not need
  229                  * to generate spidx again, nor check the address match again.
  230                  *
  231                  * For IPv4/v6 SOCK_STREAM sockets, this assumption holds
  232                  * and there are calls to ipsec_pcbconn() from in_pcbconnect().
  233                  */
  234         }
  235 
  236         pcbsp->sp_cache[dir].cachesp->lastused = mono_time.tv_sec;
  237         pcbsp->sp_cache[dir].cachesp->refcnt++;
  238         KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  239                 printf("DP ipsec_checkpcbcache cause refcnt++:%d SP:%p\n",
  240                 pcbsp->sp_cache[dir].cachesp->refcnt,
  241                 pcbsp->sp_cache[dir].cachesp));
  242         return pcbsp->sp_cache[dir].cachesp;
  243 }
  244 
  245 static int
  246 ipsec_fillpcbcache(pcbsp, m, sp, dir)
  247         struct inpcbpolicy *pcbsp;
  248         struct mbuf *m;
  249         struct secpolicy *sp;
  250         int dir;
  251 {
  252 
  253         switch (dir) {
  254         case IPSEC_DIR_INBOUND:
  255         case IPSEC_DIR_OUTBOUND:
  256                 break;
  257         default:
  258                 return EINVAL;
  259         }
  260 #ifdef DIAGNOSTIC
  261         if (dir >= sizeof(pcbsp->sp_cache)/sizeof(pcbsp->sp_cache[0]))
  262                 panic("dir too big in ipsec_checkpcbcache");
  263 #endif
  264 
  265         if (pcbsp->sp_cache[dir].cachesp)
  266                 key_freesp(pcbsp->sp_cache[dir].cachesp);
  267         pcbsp->sp_cache[dir].cachesp = NULL;
  268         pcbsp->sp_cache[dir].cachehint = IPSEC_PCBHINT_MAYBE;
  269         if (ipsec_setspidx(m, &pcbsp->sp_cache[dir].cacheidx, 1) != 0) {
  270                 return EINVAL;
  271         }
  272         pcbsp->sp_cache[dir].cachesp = sp;
  273         if (pcbsp->sp_cache[dir].cachesp) {
  274                 pcbsp->sp_cache[dir].cachesp->refcnt++;
  275                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  276                         printf("DP ipsec_fillpcbcache cause refcnt++:%d SP:%p\n",
  277                         pcbsp->sp_cache[dir].cachesp->refcnt,
  278                         pcbsp->sp_cache[dir].cachesp));
  279 
  280                 /*
  281                  * If the PCB is connected, we can remember a hint to
  282                  * possibly short-circuit IPsec processing in other places.
  283                  */
  284                 if (pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) {
  285                         switch (pcbsp->sp_cache[dir].cachesp->policy) {
  286                         case IPSEC_POLICY_NONE:
  287                         case IPSEC_POLICY_BYPASS:
  288                                 pcbsp->sp_cache[dir].cachehint =
  289                                     IPSEC_PCBHINT_NO;
  290                                 break;
  291                         default:
  292                                 pcbsp->sp_cache[dir].cachehint =
  293                                     IPSEC_PCBHINT_YES;
  294                         }
  295                 }
  296         }
  297         pcbsp->sp_cache[dir].cachegen = ipsec_spdgen;
  298 
  299         return 0;
  300 }
  301 
  302 static int
  303 ipsec_invalpcbcache(pcbsp, dir)
  304         struct inpcbpolicy *pcbsp;
  305         int dir;
  306 {
  307         int i;
  308 
  309         for (i = IPSEC_DIR_INBOUND; i <= IPSEC_DIR_OUTBOUND; i++) {
  310                 if (dir != IPSEC_DIR_ANY && i != dir)
  311                         continue;
  312                 if (pcbsp->sp_cache[i].cachesp)
  313                         key_freesp(pcbsp->sp_cache[i].cachesp);
  314                 pcbsp->sp_cache[i].cachesp = NULL;
  315                 pcbsp->sp_cache[i].cachehint = IPSEC_PCBHINT_MAYBE;
  316                 pcbsp->sp_cache[i].cachegen = 0;
  317                 bzero(&pcbsp->sp_cache[i].cacheidx,
  318                       sizeof(pcbsp->sp_cache[i].cacheidx));
  319         }
  320         return 0;
  321 }
  322 
  323 int
  324 ipsec_pcbconn(pcbsp)
  325         struct inpcbpolicy *pcbsp;
  326 {
  327 
  328         pcbsp->sp_cacheflags |= IPSEC_PCBSP_CONNECTED;
  329         ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
  330         return 0;
  331 }
  332 
  333 int
  334 ipsec_pcbdisconn(pcbsp)
  335         struct inpcbpolicy *pcbsp;
  336 {
  337 
  338         pcbsp->sp_cacheflags &= ~IPSEC_PCBSP_CONNECTED;
  339         ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
  340         return 0;
  341 }
  342 
  343 void
  344 ipsec_invalpcbcacheall()
  345 {
  346 
  347         if (ipsec_spdgen == UINT_MAX)
  348                 ipsec_spdgen = 1;
  349         else
  350                 ipsec_spdgen++;
  351 }
  352 
  353 #ifdef SADB_X_EXT_TAG
  354 static struct pf_tag *
  355 ipsec_get_tag(m)
  356         struct mbuf *m;
  357 {
  358         struct m_tag    *mtag;
  359 
  360         if ((mtag = m_tag_find(m, PACKET_TAG_PF_TAG, NULL)) != NULL)
  361                 return ((struct pf_tag *)(mtag + 1));
  362         else
  363                 return (NULL);
  364 }
  365 #endif
  366 
  367 /*
  368  * For OUTBOUND packet having a socket. Searching SPD for packet,
  369  * and return a pointer to SP.
  370  * OUT: NULL:   no apropreate SP found, the following value is set to error.
  371  *              0       : bypass
  372  *              EACCES  : discard packet.
  373  *              ENOENT  : ipsec_acquire() in progress, maybe.
  374  *              others  : error occurred.
  375  *      others: a pointer to SP
  376  *
  377  * NOTE: IPv6 mapped adddress concern is implemented here.
  378  */
  379 struct secpolicy *
  380 ipsec4_getpolicybysock(m, dir, so, error)
  381         struct mbuf *m;
  382         u_int dir;
  383         struct socket *so;
  384         int *error;
  385 {
  386         struct inpcbpolicy *pcbsp = NULL;
  387         struct secpolicy *currsp = NULL;        /* policy on socket */
  388         struct secpolicy *kernsp = NULL;        /* policy on kernel */
  389         struct secpolicyindex spidx;
  390 #ifdef SADB_X_EXT_TAG
  391         struct pf_tag *t;
  392 #endif
  393         u_int16_t tag;
  394 
  395         /* sanity check */
  396         if (m == NULL || so == NULL || error == NULL)
  397                 panic("ipsec4_getpolicybysock: NULL pointer was passed.");
  398 
  399         switch (so->so_proto->pr_domain->dom_family) {
  400         case AF_INET:
  401                 pcbsp = sotoinpcb(so)->inp_sp;
  402                 break;
  403 #ifdef INET6
  404         case AF_INET6:
  405                 pcbsp = sotoin6pcb(so)->in6p_sp;
  406                 break;
  407 #endif
  408         default:
  409                 panic("ipsec4_getpolicybysock: unsupported address family");
  410         }
  411 
  412 #ifdef DIAGNOSTIC
  413         if (pcbsp == NULL)
  414                 panic("ipsec4_getpolicybysock: pcbsp is NULL.");
  415 #endif
  416 
  417 #ifdef SADB_X_EXT_TAG
  418         t = ipsec_get_tag(m);
  419         tag = t ? t->tag : 0;
  420 #else
  421         tag = 0;
  422 #endif
  423 
  424         /* if we have a cached entry, and if it is still valid, use it. */
  425         ipsecstat.spdcachelookup++;
  426         currsp = ipsec_checkpcbcache(m, pcbsp, dir);
  427         if (currsp) {
  428                 *error = 0;
  429                 return currsp;
  430         }
  431         ipsecstat.spdcachemiss++;
  432 
  433         switch (dir) {
  434         case IPSEC_DIR_INBOUND:
  435                 currsp = pcbsp->sp_in;
  436                 break;
  437         case IPSEC_DIR_OUTBOUND:
  438                 currsp = pcbsp->sp_out;
  439                 break;
  440         default:
  441                 panic("ipsec4_getpolicybysock: illegal direction.");
  442         }
  443 
  444         /* sanity check */
  445         if (currsp == NULL)
  446                 panic("ipsec4_getpolicybysock: currsp is NULL.");
  447 
  448         /* when privileged socket */
  449         if (pcbsp->priv) {
  450                 switch (currsp->policy) {
  451                 case IPSEC_POLICY_BYPASS:
  452                         currsp->refcnt++;
  453                         *error = 0;
  454                         ipsec_fillpcbcache(pcbsp, m, currsp, dir);
  455                         return currsp;
  456 
  457                 case IPSEC_POLICY_ENTRUST:
  458                         /* look for a policy in SPD */
  459                         if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
  460                             (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
  461                                 /* SP found */
  462                                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  463                                         printf("DP ipsec4_getpolicybysock called "
  464                                                "to allocate SP:%p\n", kernsp));
  465                                 *error = 0;
  466                                 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
  467                                 return kernsp;
  468                         }
  469 
  470                         /* no SP found */
  471                         ip4_def_policy->refcnt++;
  472                         *error = 0;
  473                         ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir);
  474                         return ip4_def_policy;
  475 
  476                 case IPSEC_POLICY_IPSEC:
  477                         currsp->refcnt++;
  478                         *error = 0;
  479                         ipsec_fillpcbcache(pcbsp, m, currsp, dir);
  480                         return currsp;
  481 
  482                 default:
  483                         ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
  484                               "Invalid policy for PCB %d\n", currsp->policy));
  485                         *error = EINVAL;
  486                         return NULL;
  487                 }
  488                 /* NOTREACHED */
  489         }
  490 
  491         /* when non-privileged socket */
  492         /* look for a policy in SPD */
  493         if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
  494             (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
  495                 /* SP found */
  496                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  497                         printf("DP ipsec4_getpolicybysock called "
  498                                "to allocate SP:%p\n", kernsp));
  499                 *error = 0;
  500                 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
  501                 return kernsp;
  502         }
  503 
  504         /* no SP found */
  505         switch (currsp->policy) {
  506         case IPSEC_POLICY_BYPASS:
  507                 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
  508                        "Illegal policy for non-privileged defined %d\n",
  509                         currsp->policy));
  510                 *error = EINVAL;
  511                 return NULL;
  512 
  513         case IPSEC_POLICY_ENTRUST:
  514                 ip4_def_policy->refcnt++;
  515                 *error = 0;
  516                 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir);
  517                 return ip4_def_policy;
  518 
  519         case IPSEC_POLICY_IPSEC:
  520                 currsp->refcnt++;
  521                 *error = 0;
  522                 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
  523                 return currsp;
  524 
  525         default:
  526                 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
  527                    "Invalid policy for PCB %d\n", currsp->policy));
  528                 *error = EINVAL;
  529                 return NULL;
  530         }
  531         /* NOTREACHED */
  532 }
  533 
  534 /*
  535  * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
  536  * and return a pointer to SP.
  537  * OUT: positive: a pointer to the entry for security policy leaf matched.
  538  *      NULL:   no apropreate SP found, the following value is set to error.
  539  *              0       : bypass
  540  *              EACCES  : discard packet.
  541  *              ENOENT  : ipsec_acquire() in progress, maybe.
  542  *              others  : error occurred.
  543  */
  544 struct secpolicy *
  545 ipsec4_getpolicybyaddr(m, dir, flag, error)
  546         struct mbuf *m;
  547         u_int dir;
  548         int flag;
  549         int *error;
  550 {
  551         struct secpolicy *sp = NULL;
  552 #ifdef SADB_X_EXT_TAG
  553         struct pf_tag *t;
  554 #endif
  555         u_int16_t tag;
  556 
  557         /* sanity check */
  558         if (m == NULL || error == NULL)
  559                 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.");
  560 
  561         /* get a policy entry matched with the packet */
  562     {
  563         struct secpolicyindex spidx;
  564 
  565         bzero(&spidx, sizeof(spidx));
  566 
  567         /* make an index to look for a policy */
  568         *error = ipsec_setspidx_mbuf(&spidx, AF_INET, m,
  569             (flag & IP_FORWARDING) ? 0 : 1);
  570 
  571         if (*error != 0)
  572                 return NULL;
  573 
  574 #ifdef SADB_X_EXT_TAG
  575         t = ipsec_get_tag(m);
  576         tag = t ? t->tag : 0;
  577 #else
  578         tag = 0;
  579 #endif
  580 
  581         sp = key_allocsp(tag, &spidx, dir);
  582     }
  583 
  584         /* SP found */
  585         if (sp != NULL) {
  586                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  587                         printf("DP ipsec4_getpolicybyaddr called "
  588                                "to allocate SP:%p\n", sp));
  589                 *error = 0;
  590                 return sp;
  591         }
  592 
  593         /* no SP found */
  594         ip4_def_policy->refcnt++;
  595         *error = 0;
  596         return ip4_def_policy;
  597 }
  598 
  599 #ifdef INET6
  600 /*
  601  * For OUTBOUND packet having a socket. Searching SPD for packet,
  602  * and return a pointer to SP.
  603  * OUT: NULL:   no apropreate SP found, the following value is set to error.
  604  *              0       : bypass
  605  *              EACCES  : discard packet.
  606  *              ENOENT  : ipsec_acquire() in progress, maybe.
  607  *              others  : error occurred.
  608  *      others: a pointer to SP
  609  */
  610 struct secpolicy *
  611 ipsec6_getpolicybysock(m, dir, so, error)
  612         struct mbuf *m;
  613         u_int dir;
  614         struct socket *so;
  615         int *error;
  616 {
  617         struct inpcbpolicy *pcbsp = NULL;
  618         struct secpolicy *currsp = NULL;        /* policy on socket */
  619         struct secpolicy *kernsp = NULL;        /* policy on kernel */
  620         struct secpolicyindex spidx;
  621 #ifdef SADB_X_EXT_TAG
  622         struct pf_tag *t;
  623 #endif
  624         u_int16_t tag;
  625 
  626         /* sanity check */
  627         if (m == NULL || so == NULL || error == NULL)
  628                 panic("ipsec6_getpolicybysock: NULL pointer was passed.");
  629 
  630 #ifdef DIAGNOSTIC
  631         if (so->so_proto->pr_domain->dom_family != AF_INET6)
  632                 panic("ipsec6_getpolicybysock: socket domain != inet6");
  633 #endif
  634 
  635         pcbsp = sotoin6pcb(so)->in6p_sp;
  636 
  637 #ifdef DIAGNOSTIC
  638         if (pcbsp == NULL)
  639                 panic("ipsec6_getpolicybysock: pcbsp is NULL.");
  640 #endif
  641 
  642 #ifdef SADB_X_EXT_TAG
  643         t = ipsec_get_tag(m);
  644         tag = t ? t->tag : 0;
  645 #else
  646         tag = 0;
  647 #endif
  648 
  649         /* if we have a cached entry, and if it is still valid, use it. */
  650         ipsec6stat.spdcachelookup++;
  651         currsp = ipsec_checkpcbcache(m, pcbsp, dir);
  652         if (currsp) {
  653                 *error = 0;
  654                 return currsp;
  655         }
  656         ipsec6stat.spdcachemiss++;
  657 
  658         switch (dir) {
  659         case IPSEC_DIR_INBOUND:
  660                 currsp = pcbsp->sp_in;
  661                 break;
  662         case IPSEC_DIR_OUTBOUND:
  663                 currsp = pcbsp->sp_out;
  664                 break;
  665         default:
  666                 panic("ipsec6_getpolicybysock: illegal direction.");
  667         }
  668 
  669         /* sanity check */
  670         if (currsp == NULL)
  671                 panic("ipsec6_getpolicybysock: currsp is NULL.");
  672 
  673         /* when privileged socket */
  674         if (pcbsp->priv) {
  675                 switch (currsp->policy) {
  676                 case IPSEC_POLICY_BYPASS:
  677                         currsp->refcnt++;
  678                         *error = 0;
  679                         ipsec_fillpcbcache(pcbsp, m, currsp, dir);
  680                         return currsp;
  681 
  682                 case IPSEC_POLICY_ENTRUST:
  683                         /* look for a policy in SPD */
  684                         if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
  685                             (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
  686                                 /* SP found */
  687                                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  688                                         printf("DP ipsec6_getpolicybysock called "
  689                                                "to allocate SP:%p\n", kernsp));
  690                                 *error = 0;
  691                                 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
  692                                 return kernsp;
  693                         }
  694 
  695                         /* no SP found */
  696                         ip6_def_policy->refcnt++;
  697                         *error = 0;
  698                         ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir);
  699                         return ip6_def_policy;
  700 
  701                 case IPSEC_POLICY_IPSEC:
  702                         currsp->refcnt++;
  703                         *error = 0;
  704                         ipsec_fillpcbcache(pcbsp, m, currsp, dir);
  705                         return currsp;
  706 
  707                 default:
  708                         ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
  709                             "Invalid policy for PCB %d\n", currsp->policy));
  710                         *error = EINVAL;
  711                         return NULL;
  712                 }
  713                 /* NOTREACHED */
  714         }
  715 
  716         /* when non-privileged socket */
  717         /* look for a policy in SPD */
  718         if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
  719             (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
  720                 /* SP found */
  721                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  722                         printf("DP ipsec6_getpolicybysock called "
  723                                "to allocate SP:%p\n", kernsp));
  724                 *error = 0;
  725                 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
  726                 return kernsp;
  727         }
  728 
  729         /* no SP found */
  730         switch (currsp->policy) {
  731         case IPSEC_POLICY_BYPASS:
  732                 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
  733                     "Illegal policy for non-privileged defined %d\n",
  734                     currsp->policy));
  735                 *error = EINVAL;
  736                 return NULL;
  737 
  738         case IPSEC_POLICY_ENTRUST:
  739                 ip6_def_policy->refcnt++;
  740                 *error = 0;
  741                 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir);
  742                 return ip6_def_policy;
  743 
  744         case IPSEC_POLICY_IPSEC:
  745                 currsp->refcnt++;
  746                 *error = 0;
  747                 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
  748                 return currsp;
  749 
  750         default:
  751                 ipseclog((LOG_ERR,
  752                     "ipsec6_policybysock: Invalid policy for PCB %d\n",
  753                     currsp->policy));
  754                 *error = EINVAL;
  755                 return NULL;
  756         }
  757         /* NOTREACHED */
  758 }
  759 
  760 /*
  761  * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
  762  * and return a pointer to SP.
  763  * `flag' means that packet is to be forwarded whether or not.
  764  *      flag = 1: forwad
  765  * OUT: positive: a pointer to the entry for security policy leaf matched.
  766  *      NULL:   no apropreate SP found, the following value is set to error.
  767  *              0       : bypass
  768  *              EACCES  : discard packet.
  769  *              ENOENT  : ipsec_acquire() in progress, maybe.
  770  *              others  : error occurred.
  771  */
  772 #ifndef IP_FORWARDING
  773 #define IP_FORWARDING 1
  774 #endif
  775 
  776 struct secpolicy *
  777 ipsec6_getpolicybyaddr(m, dir, flag, error)
  778         struct mbuf *m;
  779         u_int dir;
  780         int flag;
  781         int *error;
  782 {
  783         struct secpolicy *sp = NULL;
  784 #ifdef SADB_X_EXT_TAG
  785         struct pf_tag *t;
  786 #endif
  787         u_int16_t tag;
  788 
  789         /* sanity check */
  790         if (m == NULL || error == NULL)
  791                 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.");
  792 
  793         /* get a policy entry matched with the packet */
  794     {
  795         struct secpolicyindex spidx;
  796 
  797         bzero(&spidx, sizeof(spidx));
  798 
  799         /* make an index to look for a policy */
  800         *error = ipsec_setspidx_mbuf(&spidx, AF_INET6, m,
  801             (flag & IP_FORWARDING) ? 0 : 1);
  802 
  803         if (*error != 0)
  804                 return NULL;
  805 
  806 #ifdef SADB_X_EXT_TAG
  807         t = ipsec_get_tag(m);
  808         tag = t ? t->tag : 0;
  809 #else
  810         tag = 0;
  811 #endif
  812 
  813         sp = key_allocsp(tag, &spidx, dir);
  814     }
  815 
  816         /* SP found */
  817         if (sp != NULL) {
  818                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  819                         printf("DP ipsec6_getpolicybyaddr called "
  820                                "to allocate SP:%p\n", sp));
  821                 *error = 0;
  822                 return sp;
  823         }
  824 
  825         /* no SP found */
  826         ip6_def_policy->refcnt++;
  827         *error = 0;
  828         return ip6_def_policy;
  829 }
  830 #endif /* INET6 */
  831 
  832 /*
  833  * set IP address into spidx from mbuf.
  834  * When Forwarding packet and ICMP echo reply, this function is used.
  835  *
  836  * IN:  get the followings from mbuf.
  837  *      protocol family, src, dst, next protocol
  838  * OUT:
  839  *      0:      success.
  840  *      other:  failure, and set errno.
  841  */
  842 int
  843 ipsec_setspidx_mbuf(spidx, family, m, needport)
  844         struct secpolicyindex *spidx;
  845         int family;
  846         struct mbuf *m;
  847         int needport;
  848 {
  849         int error;
  850 
  851         /* sanity check */
  852         if (spidx == NULL || m == NULL)
  853                 panic("ipsec_setspidx_mbuf: NULL pointer was passed.");
  854 
  855         bzero(spidx, sizeof(*spidx));
  856 
  857         error = ipsec_setspidx(m, spidx, needport);
  858         if (error)
  859                 goto bad;
  860 
  861         return 0;
  862 
  863     bad:
  864         /* XXX initialize */
  865         bzero(spidx, sizeof(*spidx));
  866         return EINVAL;
  867 }
  868 
  869 /*
  870  * configure security policy index (src/dst/proto/sport/dport)
  871  * by looking at the content of mbuf.
  872  * the caller is responsible for error recovery (like clearing up spidx).
  873  */
  874 static int
  875 ipsec_setspidx(m, spidx, needport)
  876         struct mbuf *m;
  877         struct secpolicyindex *spidx;
  878         int needport;
  879 {
  880         struct ip *ip = NULL;
  881         struct ip ipbuf;
  882         u_int v;
  883         struct mbuf *n;
  884         int len;
  885         int error;
  886 
  887         if (m == NULL)
  888                 panic("ipsec_setspidx: m == 0 passed.");
  889 
  890         bzero(spidx, sizeof(*spidx));
  891 
  892         /*
  893          * validate m->m_pkthdr.len.  we see incorrect length if we
  894          * mistakenly call this function with inconsistent mbuf chain
  895          * (like 4.4BSD tcp/udp processing).  XXX should we panic here?
  896          */
  897         len = 0;
  898         for (n = m; n; n = n->m_next)
  899                 len += n->m_len;
  900         if (m->m_pkthdr.len != len) {
  901                 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
  902                         printf("ipsec_setspidx: "
  903                                "total of m_len(%d) != pkthdr.len(%d), "
  904                                "ignored.\n",
  905                                 len, m->m_pkthdr.len));
  906                 return EINVAL;
  907         }
  908 
  909         if (m->m_pkthdr.len < sizeof(struct ip)) {
  910                 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
  911                         printf("ipsec_setspidx: "
  912                             "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
  913                             m->m_pkthdr.len));
  914                 return EINVAL;
  915         }
  916 
  917         if (m->m_len >= sizeof(*ip))
  918                 ip = mtod(m, struct ip *);
  919         else {
  920                 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
  921                 ip = &ipbuf;
  922         }
  923         v = ip->ip_v;
  924         switch (v) {
  925         case 4:
  926                 error = ipsec4_setspidx_ipaddr(m, spidx);
  927                 if (error)
  928                         return error;
  929                 ipsec4_get_ulp(m, spidx, needport);
  930                 return 0;
  931 #ifdef INET6
  932         case 6:
  933                 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
  934                         KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
  935                                 printf("ipsec_setspidx: "
  936                                     "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
  937                                     "ignored.\n", m->m_pkthdr.len));
  938                         return EINVAL;
  939                 }
  940                 error = ipsec6_setspidx_ipaddr(m, spidx);
  941                 if (error)
  942                         return error;
  943                 ipsec6_get_ulp(m, spidx, needport);
  944                 return 0;
  945 #endif
  946         default:
  947                 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
  948                         printf("ipsec_setspidx: "
  949                             "unknown IP version %u, ignored.\n", v));
  950                 return EINVAL;
  951         }
  952 }
  953 
  954 static void
  955 ipsec4_get_ulp(m, spidx, needport)
  956         struct mbuf *m;
  957         struct secpolicyindex *spidx;
  958         int needport;
  959 {
  960         struct ip ip;
  961         struct ip6_ext ip6e;
  962         u_int8_t nxt;
  963         int off;
  964         struct tcphdr th;
  965         struct udphdr uh;
  966 
  967         /* sanity check */
  968         if (m == NULL)
  969                 panic("ipsec4_get_ulp: NULL pointer was passed.");
  970         if (m->m_pkthdr.len < sizeof(ip))
  971                 panic("ipsec4_get_ulp: too short");
  972 
  973         /* set default */
  974         spidx->ul_proto = IPSEC_ULPROTO_ANY;
  975         ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY;
  976         ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY;
  977 
  978         m_copydata(m, 0, sizeof(ip), (caddr_t)&ip);
  979         if (ip.ip_off & htons(IP_MF | IP_OFFMASK))
  980                 return;
  981 
  982         nxt = ip.ip_p;
  983         off = ip.ip_hl << 2;
  984         while (off < m->m_pkthdr.len) {
  985                 switch (nxt) {
  986                 case IPPROTO_TCP:
  987                         spidx->ul_proto = nxt;
  988                         if (!needport)
  989                                 return;
  990                         if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
  991                                 return;
  992                         m_copydata(m, off, sizeof(th), (caddr_t)&th);
  993                         ((struct sockaddr_in *)&spidx->src)->sin_port =
  994                             th.th_sport;
  995                         ((struct sockaddr_in *)&spidx->dst)->sin_port =
  996                             th.th_dport;
  997                         return;
  998                 case IPPROTO_UDP:
  999                         spidx->ul_proto = nxt;
 1000                         if (!needport)
 1001                                 return;
 1002                         if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
 1003                                 return;
 1004                         m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
 1005                         ((struct sockaddr_in *)&spidx->src)->sin_port =
 1006                             uh.uh_sport;
 1007                         ((struct sockaddr_in *)&spidx->dst)->sin_port =
 1008                             uh.uh_dport;
 1009                         return;
 1010                 case IPPROTO_AH:
 1011                         if (off + sizeof(ip6e) > m->m_pkthdr.len)
 1012                                 return;
 1013                         m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
 1014                         off += (ip6e.ip6e_len + 2) << 2;
 1015                         nxt = ip6e.ip6e_nxt;
 1016                         break;
 1017                 case IPPROTO_ICMP:
 1018                 default:
 1019                         /* XXX intermediate headers??? */
 1020                         spidx->ul_proto = nxt;
 1021                         return;
 1022                 }
 1023         }
 1024 }
 1025 
 1026 /* assumes that m is sane */
 1027 static int
 1028 ipsec4_setspidx_ipaddr(m, spidx)
 1029         struct mbuf *m;
 1030         struct secpolicyindex *spidx;
 1031 {
 1032         struct ip *ip = NULL;
 1033         struct ip ipbuf;
 1034         struct sockaddr_in *sin;
 1035 
 1036         if (m->m_len >= sizeof(*ip))
 1037                 ip = mtod(m, struct ip *);
 1038         else {
 1039                 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
 1040                 ip = &ipbuf;
 1041         }
 1042 
 1043         sin = (struct sockaddr_in *)&spidx->src;
 1044         bzero(sin, sizeof(*sin));
 1045         sin->sin_family = AF_INET;
 1046         sin->sin_len = sizeof(struct sockaddr_in);
 1047         bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src));
 1048         spidx->prefs = sizeof(struct in_addr) << 3;
 1049 
 1050         sin = (struct sockaddr_in *)&spidx->dst;
 1051         bzero(sin, sizeof(*sin));
 1052         sin->sin_family = AF_INET;
 1053         sin->sin_len = sizeof(struct sockaddr_in);
 1054         bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst));
 1055         spidx->prefd = sizeof(struct in_addr) << 3;
 1056         return 0;
 1057 }
 1058 
 1059 #ifdef INET6
 1060 static void
 1061 ipsec6_get_ulp(m, spidx, needport)
 1062         struct mbuf *m;
 1063         struct secpolicyindex *spidx;
 1064         int needport;
 1065 {
 1066         int off, nxt;
 1067         struct tcphdr th;
 1068         struct udphdr uh;
 1069 
 1070         /* sanity check */
 1071         if (m == NULL)
 1072                 panic("ipsec6_get_ulp: NULL pointer was passed.");
 1073 
 1074         KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
 1075                 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m));
 1076 
 1077         /* set default */
 1078         spidx->ul_proto = IPSEC_ULPROTO_ANY;
 1079         ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
 1080         ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
 1081 
 1082         nxt = -1;
 1083         off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
 1084         if (off < 0 || m->m_pkthdr.len < off)
 1085                 return;
 1086 
 1087         switch (nxt) {
 1088         case IPPROTO_TCP:
 1089                 spidx->ul_proto = nxt;
 1090                 if (!needport)
 1091                         break;
 1092                 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
 1093                         break;
 1094                 m_copydata(m, off, sizeof(th), (caddr_t)&th);
 1095                 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
 1096                 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
 1097                 break;
 1098         case IPPROTO_UDP:
 1099                 spidx->ul_proto = nxt;
 1100                 if (!needport)
 1101                         break;
 1102                 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
 1103                         break;
 1104                 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
 1105                 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
 1106                 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
 1107                 break;
 1108         case IPPROTO_ICMPV6:
 1109         default:
 1110                 /* XXX intermediate headers??? */
 1111                 spidx->ul_proto = nxt;
 1112                 break;
 1113         }
 1114 }
 1115 
 1116 /* assumes that m is sane */
 1117 static int
 1118 ipsec6_setspidx_ipaddr(m, spidx)
 1119         struct mbuf *m;
 1120         struct secpolicyindex *spidx;
 1121 {
 1122         struct ip6_hdr *ip6 = NULL;
 1123         struct ip6_hdr ip6buf;
 1124         struct sockaddr_in6 *sin6;
 1125 
 1126         if (m->m_len >= sizeof(*ip6))
 1127                 ip6 = mtod(m, struct ip6_hdr *);
 1128         else {
 1129                 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
 1130                 ip6 = &ip6buf;
 1131         }
 1132 
 1133         sin6 = (struct sockaddr_in6 *)&spidx->src;
 1134         bzero(sin6, sizeof(*sin6));
 1135         sin6->sin6_family = AF_INET6;
 1136         sin6->sin6_len = sizeof(struct sockaddr_in6);
 1137         in6_recoverscope(sin6, &ip6->ip6_src, NULL);
 1138         spidx->prefs = sizeof(struct in6_addr) << 3;
 1139 
 1140         sin6 = (struct sockaddr_in6 *)&spidx->dst;
 1141         bzero(sin6, sizeof(*sin6));
 1142         sin6->sin6_family = AF_INET6;
 1143         sin6->sin6_len = sizeof(struct sockaddr_in6);
 1144         in6_recoverscope(sin6, &ip6->ip6_dst, NULL);
 1145         spidx->prefd = sizeof(struct in6_addr) << 3;
 1146 
 1147         return 0;
 1148 }
 1149 #endif
 1150 
 1151 static struct inpcbpolicy *
 1152 ipsec_newpcbpolicy()
 1153 {
 1154         struct inpcbpolicy *p;
 1155 
 1156         p = (struct inpcbpolicy *)malloc(sizeof(*p), M_SECA, M_NOWAIT);
 1157         return p;
 1158 }
 1159 
 1160 static void
 1161 ipsec_delpcbpolicy(p)
 1162         struct inpcbpolicy *p;
 1163 {
 1164 
 1165         free(p, M_SECA);
 1166 }
 1167 
 1168 /* initialize policy in PCB */
 1169 int
 1170 ipsec_init_pcbpolicy(so, pcb_sp)
 1171         struct socket *so;
 1172         struct inpcbpolicy **pcb_sp;
 1173 {
 1174         struct inpcbpolicy *new;
 1175         static int initialized = 0;
 1176         static struct secpolicy *in = NULL, *out = NULL;
 1177 
 1178         /* sanity check. */
 1179         if (so == NULL || pcb_sp == NULL)
 1180                 panic("ipsec_init_pcbpolicy: NULL pointer was passed.");
 1181 
 1182         if (!initialized) {
 1183                 if ((in = key_newsp(0)) == NULL)
 1184                         return ENOBUFS;
 1185                 if ((out = key_newsp(0)) == NULL) {
 1186                         key_freesp(in);
 1187                         in = NULL;
 1188                         return ENOBUFS;
 1189                 }
 1190 
 1191                 in->state = IPSEC_SPSTATE_ALIVE;
 1192                 in->policy = IPSEC_POLICY_ENTRUST;
 1193                 in->dir = IPSEC_DIR_INBOUND;
 1194                 in->readonly = 1;
 1195                 in->persist = 1;
 1196                 in->so = NULL;
 1197 
 1198                 out->state = IPSEC_SPSTATE_ALIVE;
 1199                 out->policy = IPSEC_POLICY_ENTRUST;
 1200                 out->dir = IPSEC_DIR_OUTBOUND;
 1201                 out->readonly = 1;
 1202                 out->persist = 1;
 1203                 out->so = NULL;
 1204 
 1205                 initialized++;
 1206         }
 1207 
 1208         new = ipsec_newpcbpolicy();
 1209         if (new == NULL) {
 1210                 ipseclog((LOG_DEBUG, "ipsec_init_pcbpolicy: No more memory.\n"));
 1211                 return ENOBUFS;
 1212         }
 1213         bzero(new, sizeof(*new));
 1214 
 1215         if (so->so_uid == 0)    /* XXX */
 1216                 new->priv = 1;
 1217         else
 1218                 new->priv = 0;
 1219 
 1220         new->sp_in = in;
 1221         new->sp_in->refcnt++;
 1222         new->sp_out = out;
 1223         new->sp_out->refcnt++;
 1224 
 1225         *pcb_sp = new;
 1226 
 1227         return 0;
 1228 }
 1229 
 1230 /* copy old ipsec policy into new */
 1231 int
 1232 ipsec_copy_pcbpolicy(old, new)
 1233         struct inpcbpolicy *old, *new;
 1234 {
 1235 
 1236         if (new->sp_in)
 1237                 key_freesp(new->sp_in);
 1238         if (old->sp_in->policy == IPSEC_POLICY_IPSEC)
 1239                 new->sp_in = ipsec_deepcopy_policy(old->sp_in);
 1240         else {
 1241                 new->sp_in = old->sp_in;
 1242                 new->sp_in->refcnt++;
 1243         }
 1244 
 1245         if (new->sp_out)
 1246                 key_freesp(new->sp_out);
 1247         if (old->sp_out->policy == IPSEC_POLICY_IPSEC)
 1248                 new->sp_out = ipsec_deepcopy_policy(old->sp_out);
 1249         else {
 1250                 new->sp_out = old->sp_out;
 1251                 new->sp_out->refcnt++;
 1252         }
 1253 
 1254         new->priv = old->priv;
 1255 
 1256         return 0;
 1257 }
 1258 
 1259 #if 0
 1260 static int
 1261 ipsec_deepcopy_pcbpolicy(pcb_sp)
 1262         struct inpcbpolicy *pcb_sp;
 1263 {
 1264         struct secpolicy *sp;
 1265 
 1266         sp = ipsec_deepcopy_policy(pcb_sp->sp_in);
 1267         if (sp) {
 1268                 key_freesp(pcb_sp->sp_in);
 1269                 pcb_sp->sp_in = sp;
 1270         } else
 1271                 return ENOBUFS;
 1272 
 1273         sp = ipsec_deepcopy_policy(pcb_sp->sp_out);
 1274         if (sp) {
 1275                 key_freesp(pcb_sp->sp_out);
 1276                 pcb_sp->sp_out = sp;
 1277         } else
 1278                 return ENOBUFS;
 1279 
 1280         return 0;
 1281 }
 1282 #endif
 1283 
 1284 /* deep-copy a policy in PCB */
 1285 static struct secpolicy *
 1286 ipsec_deepcopy_policy(src)
 1287         struct secpolicy *src;
 1288 {
 1289         struct ipsecrequest *newchain = NULL;
 1290         struct ipsecrequest *p;
 1291         struct ipsecrequest **q;
 1292         struct ipsecrequest *r;
 1293         struct secpolicy *dst;
 1294 
 1295         if (src == NULL)
 1296                 return NULL;
 1297 
 1298         dst = key_newsp(0);
 1299         if (dst == NULL)
 1300                 return NULL;
 1301 
 1302         /*
 1303          * deep-copy IPsec request chain.  This is required since struct
 1304          * ipsecrequest is not reference counted.
 1305          */
 1306         q = &newchain;
 1307         for (p = src->req; p; p = p->next) {
 1308                 *q = (struct ipsecrequest *)malloc(sizeof(struct ipsecrequest),
 1309                         M_SECA, M_NOWAIT);
 1310                 if (*q == NULL)
 1311                         goto fail;
 1312                 bzero(*q, sizeof(**q));
 1313                 (*q)->next = NULL;
 1314 
 1315                 (*q)->saidx.proto = p->saidx.proto;
 1316                 (*q)->saidx.mode = p->saidx.mode;
 1317                 (*q)->level = p->level;
 1318                 (*q)->saidx.reqid = p->saidx.reqid;
 1319 
 1320                 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
 1321                 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
 1322 
 1323                 (*q)->sav = NULL;
 1324                 (*q)->sp = dst;
 1325 
 1326                 q = &((*q)->next);
 1327         }
 1328 
 1329         if (src->spidx)
 1330                 if (keydb_setsecpolicyindex(dst, src->spidx) != 0)
 1331                         goto fail;
 1332 
 1333         dst->req = newchain;
 1334         dst->state = src->state;
 1335         dst->policy = src->policy;
 1336         dst->dir = src->dir;
 1337         dst->so = src->so;
 1338         /* do not touch the refcnt fields */
 1339 
 1340         return dst;
 1341 
 1342 fail:
 1343         for (p = newchain; p; p = r) {
 1344                 r = p->next;
 1345                 free(p, M_SECA);
 1346                 p = NULL;
 1347         }
 1348         key_freesp(dst);
 1349         return NULL;
 1350 }
 1351 
 1352 /* set policy and ipsec request if present. */
 1353 static int
 1354 ipsec_set_policy(spp, optname, request, len, priv)
 1355         struct secpolicy **spp;
 1356         int optname;
 1357         caddr_t request;
 1358         size_t len;
 1359         int priv;
 1360 {
 1361         struct sadb_x_policy *xpl;
 1362         struct secpolicy *newsp = NULL;
 1363         int error;
 1364 
 1365         /* sanity check. */
 1366         if (spp == NULL || *spp == NULL || request == NULL)
 1367                 return EINVAL;
 1368         if (len < sizeof(*xpl))
 1369                 return EINVAL;
 1370         xpl = (struct sadb_x_policy *)request;
 1371 
 1372         KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
 1373                 printf("ipsec_set_policy: passed policy\n");
 1374                 kdebug_sadb_x_policy((struct sadb_ext *)xpl));
 1375 
 1376         /* check policy type */
 1377         /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
 1378         if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD ||
 1379             xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
 1380                 return EINVAL;
 1381 
 1382         /* check privileged socket */
 1383         if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS)
 1384                 return EACCES;
 1385 
 1386         /* allocation new SP entry */
 1387         if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
 1388                 return error;
 1389 
 1390         newsp->state = IPSEC_SPSTATE_ALIVE;
 1391 
 1392         /* clear old SP and set new SP */
 1393         key_freesp(*spp);
 1394         *spp = newsp;
 1395         KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
 1396                 printf("ipsec_set_policy: new policy\n");
 1397                 kdebug_secpolicy(newsp));
 1398 
 1399         return 0;
 1400 }
 1401 
 1402 static int
 1403 ipsec_get_policy(sp, mp)
 1404         struct secpolicy *sp;
 1405         struct mbuf **mp;
 1406 {
 1407 
 1408         /* sanity check. */
 1409         if (sp == NULL || mp == NULL)
 1410                 return EINVAL;
 1411 
 1412         *mp = key_sp2msg(sp);
 1413         if (!*mp) {
 1414                 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n"));
 1415                 return ENOBUFS;
 1416         }
 1417 
 1418         (*mp)->m_type = MT_SOOPTS;
 1419         KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
 1420                 printf("ipsec_get_policy:\n");
 1421                 kdebug_mbuf(*mp));
 1422 
 1423         return 0;
 1424 }
 1425 
 1426 int
 1427 ipsec4_set_policy(inp, optname, request, len, priv)
 1428         struct inpcb *inp;
 1429         int optname;
 1430         caddr_t request;
 1431         size_t len;
 1432         int priv;
 1433 {
 1434         struct sadb_x_policy *xpl;
 1435         struct secpolicy **spp;
 1436 
 1437         /* sanity check. */
 1438         if (inp == NULL || request == NULL)
 1439                 return EINVAL;
 1440         if (len < sizeof(*xpl))
 1441                 return EINVAL;
 1442         xpl = (struct sadb_x_policy *)request;
 1443 
 1444         /* select direction */
 1445         switch (xpl->sadb_x_policy_dir) {
 1446         case IPSEC_DIR_INBOUND:
 1447                 spp = &inp->inp_sp->sp_in;
 1448                 break;
 1449         case IPSEC_DIR_OUTBOUND:
 1450                 spp = &inp->inp_sp->sp_out;
 1451                 break;
 1452         default:
 1453                 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
 1454                         xpl->sadb_x_policy_dir));
 1455                 return EINVAL;
 1456         }
 1457 
 1458         ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY);
 1459         return ipsec_set_policy(spp, optname, request, len, priv);
 1460 }
 1461 
 1462 int
 1463 ipsec4_get_policy(inp, request, len, mp)
 1464         struct inpcb *inp;
 1465         caddr_t request;
 1466         size_t len;
 1467         struct mbuf **mp;
 1468 {
 1469         struct sadb_x_policy *xpl;
 1470         struct secpolicy *sp;
 1471 
 1472         /* sanity check. */
 1473         if (inp == NULL || request == NULL || mp == NULL)
 1474                 return EINVAL;
 1475         if (inp->inp_sp == NULL)
 1476                 panic("policy in PCB is NULL");
 1477         if (len < sizeof(*xpl))
 1478                 return EINVAL;
 1479         xpl = (struct sadb_x_policy *)request;
 1480 
 1481         /* select direction */
 1482         switch (xpl->sadb_x_policy_dir) {
 1483         case IPSEC_DIR_INBOUND:
 1484                 sp = inp->inp_sp->sp_in;
 1485                 break;
 1486         case IPSEC_DIR_OUTBOUND:
 1487                 sp = inp->inp_sp->sp_out;
 1488                 break;
 1489         default:
 1490                 ipseclog((LOG_ERR, "ipsec4_get_policy: invalid direction=%u\n",
 1491                         xpl->sadb_x_policy_dir));
 1492                 return EINVAL;
 1493         }
 1494 
 1495         return ipsec_get_policy(sp, mp);
 1496 }
 1497 
 1498 /* delete policy in PCB */
 1499 int
 1500 ipsec4_delete_pcbpolicy(inp)
 1501         struct inpcb *inp;
 1502 {
 1503         /* sanity check. */
 1504         if (inp == NULL)
 1505                 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.");
 1506 
 1507         if (inp->inp_sp == NULL)
 1508                 return 0;
 1509 
 1510         if (inp->inp_sp->sp_in != NULL) {
 1511                 key_freesp(inp->inp_sp->sp_in);
 1512                 inp->inp_sp->sp_in = NULL;
 1513         }
 1514 
 1515         if (inp->inp_sp->sp_out != NULL) {
 1516                 key_freesp(inp->inp_sp->sp_out);
 1517                 inp->inp_sp->sp_out = NULL;
 1518         }
 1519 
 1520         ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY);
 1521 
 1522         ipsec_delpcbpolicy(inp->inp_sp);
 1523         inp->inp_sp = NULL;
 1524 
 1525         return 0;
 1526 }
 1527 
 1528 #ifdef INET6
 1529 int
 1530 ipsec6_set_policy(in6p, optname, request, len, priv)
 1531         struct in6pcb *in6p;
 1532         int optname;
 1533         caddr_t request;
 1534         size_t len;
 1535         int priv;
 1536 {
 1537         struct sadb_x_policy *xpl;
 1538         struct secpolicy **spp;
 1539 
 1540         /* sanity check. */
 1541         if (in6p == NULL || request == NULL)
 1542                 return EINVAL;
 1543         if (len < sizeof(*xpl))
 1544                 return EINVAL;
 1545         xpl = (struct sadb_x_policy *)request;
 1546 
 1547         /* select direction */
 1548         switch (xpl->sadb_x_policy_dir) {
 1549         case IPSEC_DIR_INBOUND:
 1550                 spp = &in6p->in6p_sp->sp_in;
 1551                 break;
 1552         case IPSEC_DIR_OUTBOUND:
 1553                 spp = &in6p->in6p_sp->sp_out;
 1554                 break;
 1555         default:
 1556                 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
 1557                         xpl->sadb_x_policy_dir));
 1558                 return EINVAL;
 1559         }
 1560 
 1561         ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY);
 1562         return ipsec_set_policy(spp, optname, request, len, priv);
 1563 }
 1564 
 1565 int
 1566 ipsec6_get_policy(in6p, request, len, mp)
 1567         struct in6pcb *in6p;
 1568         caddr_t request;
 1569         size_t len;
 1570         struct mbuf **mp;
 1571 {
 1572         struct sadb_x_policy *xpl;
 1573         struct secpolicy *sp;
 1574 
 1575         /* sanity check. */
 1576         if (in6p == NULL || request == NULL || mp == NULL)
 1577                 return EINVAL;
 1578         if (in6p->in6p_sp == NULL)
 1579                 panic("policy in PCB is NULL");
 1580         if (len < sizeof(*xpl))
 1581                 return EINVAL;
 1582         xpl = (struct sadb_x_policy *)request;
 1583 
 1584         /* select direction */
 1585         switch (xpl->sadb_x_policy_dir) {
 1586         case IPSEC_DIR_INBOUND:
 1587                 sp = in6p->in6p_sp->sp_in;
 1588                 break;
 1589         case IPSEC_DIR_OUTBOUND:
 1590                 sp = in6p->in6p_sp->sp_out;
 1591                 break;
 1592         default:
 1593                 ipseclog((LOG_ERR, "ipsec6_get_policy: invalid direction=%u\n",
 1594                         xpl->sadb_x_policy_dir));
 1595                 return EINVAL;
 1596         }
 1597 
 1598         return ipsec_get_policy(sp, mp);
 1599 }
 1600 
 1601 int
 1602 ipsec6_delete_pcbpolicy(in6p)
 1603         struct in6pcb *in6p;
 1604 {
 1605         /* sanity check. */
 1606         if (in6p == NULL)
 1607                 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.");
 1608 
 1609         if (in6p->in6p_sp == NULL)
 1610                 return 0;
 1611 
 1612         if (in6p->in6p_sp->sp_in != NULL) {
 1613                 key_freesp(in6p->in6p_sp->sp_in);
 1614                 in6p->in6p_sp->sp_in = NULL;
 1615         }
 1616 
 1617         if (in6p->in6p_sp->sp_out != NULL) {
 1618                 key_freesp(in6p->in6p_sp->sp_out);
 1619                 in6p->in6p_sp->sp_out = NULL;
 1620         }
 1621 
 1622         ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY);
 1623 
 1624         ipsec_delpcbpolicy(in6p->in6p_sp);
 1625         in6p->in6p_sp = NULL;
 1626 
 1627         return 0;
 1628 }
 1629 #endif
 1630 
 1631 /*
 1632  * return current level.
 1633  * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
 1634  */
 1635 u_int
 1636 ipsec_get_reqlevel(isr, af)
 1637         struct ipsecrequest *isr;
 1638         int af;
 1639 {
 1640         u_int level = 0;
 1641         u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev;
 1642 
 1643         /* sanity check */
 1644         if (isr == NULL || isr->sp == NULL)
 1645                 panic("ipsec_get_reqlevel: NULL pointer is passed.");
 1646 
 1647         /* set default level */
 1648         switch (af) {
 1649 #ifdef INET
 1650         case AF_INET:
 1651                 esp_trans_deflev = ip4_esp_trans_deflev;
 1652                 esp_net_deflev = ip4_esp_net_deflev;
 1653                 ah_trans_deflev = ip4_ah_trans_deflev;
 1654                 ah_net_deflev = ip4_ah_net_deflev;
 1655                 break;
 1656 #endif
 1657 #ifdef INET6
 1658         case AF_INET6:
 1659                 esp_trans_deflev = ip6_esp_trans_deflev;
 1660                 esp_net_deflev = ip6_esp_net_deflev;
 1661                 ah_trans_deflev = ip6_ah_trans_deflev;
 1662                 ah_net_deflev = ip6_ah_net_deflev;
 1663                 break;
 1664 #endif /* INET6 */
 1665         default:
 1666                 panic("key_get_reqlevel: Unknown family. %d",
 1667                         ((struct sockaddr *)&isr->sp->spidx->src)->sa_family);
 1668         }
 1669 
 1670         /* set level */
 1671         switch (isr->level) {
 1672         case IPSEC_LEVEL_DEFAULT:
 1673                 switch (isr->saidx.proto) {
 1674                 case IPPROTO_ESP:
 1675                         if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
 1676                                 level = esp_net_deflev;
 1677                         else
 1678                                 level = esp_trans_deflev;
 1679                         break;
 1680                 case IPPROTO_AH:
 1681                         if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
 1682                                 level = ah_net_deflev;
 1683                         else
 1684                                 level = ah_trans_deflev;
 1685                 case IPPROTO_IPCOMP:
 1686                         /*
 1687                          * we don't really care, as IPcomp document says that
 1688                          * we shouldn't compress small packets
 1689                          */
 1690                         level = IPSEC_LEVEL_USE;
 1691                         break;
 1692                 case IPPROTO_IPV4:
 1693                 case IPPROTO_IPV6:
 1694                         /* should never go into here */
 1695                         level = IPSEC_LEVEL_REQUIRE;
 1696                         break;
 1697                 default:
 1698                         panic("ipsec_get_reqlevel: "
 1699                                 "Illegal protocol defined %u\n",
 1700                                 isr->saidx.proto);
 1701                 }
 1702                 break;
 1703 
 1704         case IPSEC_LEVEL_USE:
 1705         case IPSEC_LEVEL_REQUIRE:
 1706                 level = isr->level;
 1707                 break;
 1708         case IPSEC_LEVEL_UNIQUE:
 1709                 level = IPSEC_LEVEL_REQUIRE;
 1710                 break;
 1711 
 1712         default:
 1713                 panic("ipsec_get_reqlevel: Illegal IPsec level %u",
 1714                         isr->level);
 1715         }
 1716 
 1717         return level;
 1718 }
 1719 
 1720 /*
 1721  * Check AH/ESP integrity.
 1722  * OUT:
 1723  *      0: valid
 1724  *      1: invalid
 1725  */
 1726 static int
 1727 ipsec_in_reject(sp, m)
 1728         struct secpolicy *sp;
 1729         struct mbuf *m;
 1730 {
 1731         struct ipsecrequest *isr;
 1732         u_int level;
 1733         int need_auth, need_conf, need_icv;
 1734 
 1735         KEYDEBUG(KEYDEBUG_IPSEC_DATA,
 1736                 printf("ipsec_in_reject: using SP\n");
 1737                 kdebug_secpolicy(sp));
 1738 
 1739         /* check policy */
 1740         switch (sp->policy) {
 1741         case IPSEC_POLICY_DISCARD:
 1742                 return 1;
 1743         case IPSEC_POLICY_BYPASS:
 1744         case IPSEC_POLICY_NONE:
 1745                 return 0;
 1746 
 1747         case IPSEC_POLICY_IPSEC:
 1748                 break;
 1749 
 1750         case IPSEC_POLICY_ENTRUST:
 1751         default:
 1752                 panic("ipsec_in_reject: Invalid policy found. %d", sp->policy);
 1753         }
 1754 
 1755         need_auth = 0;
 1756         need_conf = 0;
 1757         need_icv = 0;
 1758 
 1759         /* XXX should compare policy against ipsec header history */
 1760 
 1761         for (isr = sp->req; isr != NULL; isr = isr->next) {
 1762                 /* get current level */
 1763                 level = ipsec_get_reqlevel(isr, AF_INET);
 1764 
 1765                 switch (isr->saidx.proto) {
 1766                 case IPPROTO_ESP:
 1767                         if (level == IPSEC_LEVEL_REQUIRE) {
 1768                                 need_conf++;
 1769 
 1770                                 if (isr->sav != NULL
 1771                                  && isr->sav->flags == SADB_X_EXT_NONE
 1772                                  && isr->sav->alg_auth != SADB_AALG_NONE)
 1773                                         need_icv++;
 1774                         }
 1775                         break;
 1776                 case IPPROTO_AH:
 1777                         if (level == IPSEC_LEVEL_REQUIRE) {
 1778                                 need_auth++;
 1779                                 need_icv++;
 1780                         }
 1781                         break;
 1782                 case IPPROTO_IPCOMP:
 1783                         /*
 1784                          * we don't really care, as IPcomp document says that
 1785                          * we shouldn't compress small packets, IPComp policy
 1786                          * should always be treated as being in "use" level.
 1787                          */
 1788                         break;
 1789                 case IPPROTO_IPV4:
 1790                 case IPPROTO_IPV6:
 1791                         /*
 1792                          * XXX what shall we do, until introducing more complex
 1793                          * policy checking code?
 1794                          */
 1795                         break;
 1796                 }
 1797         }
 1798 
 1799         KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
 1800                 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
 1801                         need_auth, need_conf, need_icv, m->m_flags));
 1802 
 1803         if ((need_conf && !(m->m_flags & M_DECRYPTED))
 1804          || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM))
 1805          || (need_auth && !(m->m_flags & M_AUTHIPHDR)))
 1806                 return 1;
 1807 
 1808         return 0;
 1809 }
 1810 
 1811 /*
 1812  * Check AH/ESP integrity.
 1813  * This function is called from tcp_input(), udp_input(),
 1814  * and {ah,esp}4_input for tunnel mode
 1815  */
 1816 int
 1817 ipsec4_in_reject_so(m, so)
 1818         struct mbuf *m;
 1819         struct socket *so;
 1820 {
 1821         struct secpolicy *sp = NULL;
 1822         int error;
 1823         int result;
 1824 
 1825         /* sanity check */
 1826         if (m == NULL)
 1827                 return 0;       /* XXX should be panic ? */
 1828 
 1829         /* get SP for this packet.
 1830          * When we are called from ip_forward(), we call
 1831          * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
 1832          */
 1833         if (so == NULL)
 1834                 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
 1835                     IP_FORWARDING, &error);
 1836         else
 1837                 sp = ipsec4_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
 1838 
 1839         /* XXX should be panic ? -> No, there may be error. */
 1840         if (sp == NULL)
 1841                 return 0;
 1842 
 1843         result = ipsec_in_reject(sp, m);
 1844         KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
 1845                 printf("DP ipsec4_in_reject_so call free SP:%p\n", sp));
 1846         key_freesp(sp);
 1847 
 1848         return result;
 1849 }
 1850 
 1851 int
 1852 ipsec4_in_reject(m, inp)
 1853         struct mbuf *m;
 1854         struct inpcb *inp;
 1855 {
 1856         if (inp == NULL)
 1857                 return ipsec4_in_reject_so(m, NULL);
 1858         if (inp->inp_socket)
 1859                 return ipsec4_in_reject_so(m, inp->inp_socket);
 1860         else
 1861                 panic("ipsec4_in_reject: invalid inpcb/socket");
 1862 }
 1863 
 1864 #ifdef INET6
 1865 /*
 1866  * Check AH/ESP integrity.
 1867  * This function is called from tcp6_input(), udp6_input(),
 1868  * and {ah,esp}6_input for tunnel mode
 1869  */
 1870 int
 1871 ipsec6_in_reject_so(m, so)
 1872         struct mbuf *m;
 1873         struct socket *so;
 1874 {
 1875         struct secpolicy *sp = NULL;
 1876         int error;
 1877         int result;
 1878 
 1879         /* sanity check */
 1880         if (m == NULL)
 1881                 return 0;       /* XXX should be panic ? */
 1882 
 1883         /* get SP for this packet.
 1884          * When we are called from ip_forward(), we call
 1885          * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
 1886          */
 1887         if (so == NULL)
 1888                 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
 1889                     IP_FORWARDING, &error);
 1890         else
 1891                 sp = ipsec6_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
 1892 
 1893         if (sp == NULL)
 1894                 return 0;       /* XXX should be panic ? */
 1895 
 1896         result = ipsec_in_reject(sp, m);
 1897         KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
 1898                 printf("DP ipsec6_in_reject_so call free SP:%p\n", sp));
 1899         key_freesp(sp);
 1900 
 1901         return result;
 1902 }
 1903 
 1904 int
 1905 ipsec6_in_reject(m, in6p)
 1906         struct mbuf *m;
 1907         struct in6pcb *in6p;
 1908 {
 1909         if (in6p == NULL)
 1910                 return ipsec6_in_reject_so(m, NULL);
 1911         if (in6p->in6p_socket)
 1912                 return ipsec6_in_reject_so(m, in6p->in6p_socket);
 1913         else
 1914                 panic("ipsec6_in_reject: invalid in6p/socket");
 1915 }
 1916 #endif
 1917 
 1918 /*
 1919  * compute the byte size to be occupied by IPsec header.
 1920  * in case it is tunneled, it includes the size of outer IP header.
 1921  * NOTE: SP passed is free in this function.
 1922  */
 1923 static size_t
 1924 ipsec_hdrsiz(sp)
 1925         struct secpolicy *sp;
 1926 {
 1927         struct ipsecrequest *isr;
 1928         size_t siz, clen;
 1929 
 1930         KEYDEBUG(KEYDEBUG_IPSEC_DATA,
 1931                 printf("ipsec_hdrsiz: using SP\n");
 1932                 kdebug_secpolicy(sp));
 1933 
 1934         /* check policy */
 1935         switch (sp->policy) {
 1936         case IPSEC_POLICY_DISCARD:
 1937         case IPSEC_POLICY_BYPASS:
 1938         case IPSEC_POLICY_NONE:
 1939                 return 0;
 1940 
 1941         case IPSEC_POLICY_IPSEC:
 1942                 break;
 1943 
 1944         case IPSEC_POLICY_ENTRUST:
 1945         default:
 1946                 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy);
 1947         }
 1948 
 1949         siz = 0;
 1950 
 1951         for (isr = sp->req; isr != NULL; isr = isr->next) {
 1952 
 1953                 clen = 0;
 1954 
 1955                 switch (isr->saidx.proto) {
 1956                 case IPPROTO_ESP:
 1957 #ifdef IPSEC_ESP
 1958                         clen = esp_hdrsiz(isr);
 1959 #else
 1960                         clen = 0;       /* XXX */
 1961 #endif
 1962                         break;
 1963                 case IPPROTO_AH:
 1964                         clen = ah_hdrsiz(isr);
 1965                         break;
 1966                 case IPPROTO_IPCOMP:
 1967                         clen = sizeof(struct ipcomp);
 1968                         break;
 1969                 case IPPROTO_IPV4:
 1970                 case IPPROTO_IPV6:
 1971                         /* the next "if" clause will compute it */
 1972                         clen = 0;
 1973                         break;
 1974                 }
 1975 
 1976                 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
 1977                         switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) {
 1978                         case AF_INET:
 1979                                 clen += sizeof(struct ip);
 1980                                 break;
 1981 #ifdef INET6
 1982                         case AF_INET6:
 1983                                 clen += sizeof(struct ip6_hdr);
 1984                                 break;
 1985 #endif
 1986                         default:
 1987                                 ipseclog((LOG_ERR, "ipsec_hdrsiz: "
 1988                                     "unknown AF %d in IPsec tunnel SA\n",
 1989                                     ((struct sockaddr *)&isr->saidx.dst)->sa_family));
 1990                                 break;
 1991                         }
 1992                 }
 1993                 siz += clen;
 1994         }
 1995 
 1996         return siz;
 1997 }
 1998 
 1999 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
 2000 size_t
 2001 ipsec4_hdrsiz(m, dir, inp)
 2002         struct mbuf *m;
 2003         u_int dir;
 2004         struct inpcb *inp;
 2005 {
 2006         struct secpolicy *sp = NULL;
 2007         int error;
 2008         size_t size;
 2009 
 2010         /* sanity check */
 2011         if (m == NULL)
 2012                 return 0;       /* XXX should be panic ? */
 2013         if (inp != NULL && inp->inp_socket == NULL)
 2014                 panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
 2015 
 2016         /* get SP for this packet.
 2017          * When we are called from ip_forward(), we call
 2018          * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
 2019          */
 2020         if (inp == NULL)
 2021                 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
 2022         else
 2023                 sp = ipsec4_getpolicybysock(m, dir, inp->inp_socket, &error);
 2024 
 2025         if (sp == NULL)
 2026                 return 0;       /* XXX should be panic ? */
 2027 
 2028         size = ipsec_hdrsiz(sp);
 2029         KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
 2030                 printf("DP ipsec4_hdrsiz call free SP:%p\n", sp));
 2031         KEYDEBUG(KEYDEBUG_IPSEC_DATA,
 2032                 printf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size));
 2033         key_freesp(sp);
 2034 
 2035         return size;
 2036 }
 2037 
 2038 #ifdef INET6
 2039 /* This function is called from ipsec6_hdrsize_tcp(),
 2040  * and maybe from ip6_forward.()
 2041  */
 2042 size_t
 2043 ipsec6_hdrsiz(m, dir, in6p)
 2044         struct mbuf *m;
 2045         u_int dir;
 2046         struct in6pcb *in6p;
 2047 {
 2048         struct secpolicy *sp = NULL;
 2049         int error;
 2050         size_t size;
 2051 
 2052         /* sanity check */
 2053         if (m == NULL)
 2054                 return 0;       /* XXX should be panic ? */
 2055         if (in6p != NULL && in6p->in6p_socket == NULL)
 2056                 panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
 2057 
 2058         /* get SP for this packet */
 2059         /* XXX Is it right to call with IP_FORWARDING. */
 2060         if (in6p == NULL)
 2061                 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
 2062         else
 2063                 sp = ipsec6_getpolicybysock(m, dir, in6p->in6p_socket, &error);
 2064 
 2065         if (sp == NULL)
 2066                 return 0;
 2067         size = ipsec_hdrsiz(sp);
 2068         KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
 2069                 printf("DP ipsec6_hdrsiz call free SP:%p\n", sp));
 2070         KEYDEBUG(KEYDEBUG_IPSEC_DATA,
 2071                 printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size));
 2072         key_freesp(sp);
 2073 
 2074         return size;
 2075 }
 2076 #endif /* INET6 */
 2077 
 2078 #ifdef INET
 2079 /*
 2080  * encapsulate for ipsec tunnel.
 2081  * ip->ip_src must be fixed later on.
 2082  */
 2083 static int
 2084 ipsec4_encapsulate(m, sav)
 2085         struct mbuf *m;
 2086         struct secasvar *sav;
 2087 {
 2088         struct ip *oip;
 2089         struct ip *ip;
 2090         size_t hlen;
 2091         size_t plen;
 2092 
 2093         /* can't tunnel between different AFs */
 2094         if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
 2095                 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
 2096          || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
 2097                 m_freem(m);
 2098                 return EINVAL;
 2099         }
 2100 #if 0
 2101         /* XXX if the dst is myself, perform nothing. */
 2102         if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
 2103                 m_freem(m);
 2104                 return EINVAL;
 2105         }
 2106 #endif
 2107 
 2108         if (m->m_len < sizeof(*ip))
 2109                 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
 2110 
 2111         ip = mtod(m, struct ip *);
 2112         hlen = ip->ip_hl << 2;
 2113 
 2114         if (m->m_len != hlen)
 2115                 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
 2116 
 2117         /* generate header checksum */
 2118         ip->ip_sum = 0;
 2119         ip->ip_sum = in_cksum(m, hlen);
 2120 
 2121         plen = m->m_pkthdr.len;
 2122 
 2123         /*
 2124          * grow the mbuf to accomodate the new IPv4 header.
 2125          * NOTE: IPv4 options will never be copied.
 2126          */
 2127         if (M_LEADINGSPACE(m->m_next) < hlen) {
 2128                 struct mbuf *n;
 2129                 MGET(n, M_DONTWAIT, MT_DATA);
 2130                 if (!n) {
 2131                         m_freem(m);
 2132                         return ENOBUFS;
 2133                 }
 2134                 n->m_len = hlen;
 2135                 n->m_next = m->m_next;
 2136                 m->m_next = n;
 2137         } else {
 2138                 m->m_next->m_len += hlen;
 2139                 m->m_next->m_data -= hlen;
 2140         }
 2141         oip = mtod(m->m_next, struct ip *);
 2142         m->m_pkthdr.len += hlen;
 2143         ip = mtod(m, struct ip *);
 2144         ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
 2145         m->m_len = sizeof(struct ip);
 2146         m->m_pkthdr.len -= (hlen - sizeof(struct ip));
 2147 
 2148         /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
 2149         /* ECN consideration. */
 2150         ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
 2151         ip->ip_hl = sizeof(struct ip) >> 2;
 2152         ip->ip_off &= htons(~IP_OFFMASK);
 2153         ip->ip_off &= htons(~IP_MF);
 2154         switch (ip4_ipsec_dfbit) {
 2155         case 0: /* clear DF bit */
 2156                 ip->ip_off &= htons(~IP_DF);
 2157                 break;
 2158         case 1: /* set DF bit */
 2159                 ip->ip_off |= htons(IP_DF);
 2160                 break;
 2161         default:        /* copy DF bit */
 2162                 break;
 2163         }
 2164         ip->ip_p = IPPROTO_IPIP;
 2165         if (plen + sizeof(struct ip) < IP_MAXPACKET)
 2166                 ip->ip_len = htons(plen + sizeof(struct ip));
 2167         else {
 2168                 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
 2169                     "leave ip_len as is (invalid packet)\n"));
 2170         }
 2171         ip->ip_id = ip_newid();
 2172         bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
 2173                 &ip->ip_src, sizeof(ip->ip_src));
 2174         bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
 2175                 &ip->ip_dst, sizeof(ip->ip_dst));
 2176         ip->ip_ttl = IPDEFTTL;
 2177 
 2178         /* XXX Should ip_src be updated later ? */
 2179 
 2180         return 0;
 2181 }
 2182 #endif /* INET */
 2183 
 2184 #ifdef INET6
 2185 static int
 2186 ipsec6_encapsulate(m, sav)
 2187         struct mbuf *m;
 2188         struct secasvar *sav;
 2189 {
 2190         struct ip6_hdr *oip6;
 2191         struct ip6_hdr *ip6;
 2192         size_t plen;
 2193 
 2194         /* can't tunnel between different AFs */
 2195         if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
 2196                 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
 2197          || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
 2198                 m_freem(m);
 2199                 return EINVAL;
 2200         }
 2201 #if 0
 2202         /* XXX if the dst is myself, perform nothing. */
 2203         if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
 2204                 m_freem(m);
 2205                 return EINVAL;
 2206         }
 2207 #endif
 2208 
 2209         plen = m->m_pkthdr.len;
 2210 
 2211         /*
 2212          * grow the mbuf to accomodate the new IPv6 header.
 2213          */
 2214         if (m->m_len != sizeof(struct ip6_hdr))
 2215                 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
 2216         if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
 2217                 struct mbuf *n;
 2218                 MGET(n, M_DONTWAIT, MT_DATA);
 2219                 if (!n) {
 2220                         m_freem(m);
 2221                         return ENOBUFS;
 2222                 }
 2223                 n->m_len = sizeof(struct ip6_hdr);
 2224                 n->m_next = m->m_next;
 2225                 m->m_next = n;
 2226                 m->m_pkthdr.len += sizeof(struct ip6_hdr);
 2227                 oip6 = mtod(n, struct ip6_hdr *);
 2228         } else {
 2229                 m->m_next->m_len += sizeof(struct ip6_hdr);
 2230                 m->m_next->m_data -= sizeof(struct ip6_hdr);
 2231                 m->m_pkthdr.len += sizeof(struct ip6_hdr);
 2232                 oip6 = mtod(m->m_next, struct ip6_hdr *);
 2233         }
 2234         ip6 = mtod(m, struct ip6_hdr *);
 2235         ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
 2236 
 2237         /* Fake link-local scope-class addresses */
 2238         in6_clearscope(&oip6->ip6_src);
 2239         in6_clearscope(&oip6->ip6_dst);
 2240 
 2241         /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
 2242         /* ECN consideration. */
 2243         ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
 2244         if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
 2245                 ip6->ip6_plen = htons(plen);
 2246         else {
 2247                 /* ip6->ip6_plen will be updated in ip6_output() */
 2248         }
 2249         ip6->ip6_nxt = IPPROTO_IPV6;
 2250         in6_embedscope(&ip6->ip6_src,
 2251             (struct sockaddr_in6 *)&sav->sah->saidx.src, NULL, NULL);
 2252         in6_embedscope(&ip6->ip6_dst, 
 2253             (struct sockaddr_in6 *)&sav->sah->saidx.dst, NULL, NULL);
 2254         ip6->ip6_hlim = IPV6_DEFHLIM;
 2255 
 2256         /* XXX Should ip6_src be updated later ? */
 2257 
 2258         return 0;
 2259 }
 2260 #endif /* INET6 */
 2261 
 2262 /*
 2263  * Check the variable replay window.
 2264  * ipsec_chkreplay() performs replay check before ICV verification.
 2265  * ipsec_updatereplay() updates replay bitmap.  This must be called after
 2266  * ICV verification (it also performs replay check, which is usually done
 2267  * beforehand).
 2268  * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
 2269  *
 2270  * based on RFC 2401.
 2271  *
 2272  * XXX need to update for 64bit sequence number - 2401bis
 2273  */
 2274 int
 2275 ipsec_chkreplay(seq, sav)
 2276         u_int32_t seq;
 2277         struct secasvar *sav;
 2278 {
 2279         const struct secreplay *replay;
 2280         u_int32_t diff;
 2281         int fr;
 2282         u_int32_t wsizeb;       /* constant: bits of window size */
 2283         int frlast;             /* constant: last frame */
 2284 
 2285         /* sanity check */
 2286         if (sav == NULL)
 2287                 panic("ipsec_chkreplay: NULL pointer was passed.");
 2288 
 2289         replay = sav->replay;
 2290 
 2291         if (replay->wsize == 0)
 2292                 return 1;       /* no need to check replay. */
 2293 
 2294         /* constant */
 2295         frlast = replay->wsize - 1;
 2296         wsizeb = replay->wsize << 3;
 2297 
 2298         /* sequence number of 0 is invalid */
 2299         if (seq == 0)
 2300                 return 0;
 2301 
 2302         /* first time is always okay */
 2303         if (replay->count == 0)
 2304                 return 1;
 2305 
 2306         if (seq > replay->lastseq) {
 2307                 /* larger sequences are okay */
 2308                 return 1;
 2309         } else {
 2310                 /* seq is equal or less than lastseq. */
 2311                 diff = replay->lastseq - seq;
 2312 
 2313                 /* over range to check, i.e. too old or wrapped */
 2314                 if (diff >= wsizeb)
 2315                         return 0;
 2316 
 2317                 fr = frlast - diff / 8;
 2318 
 2319                 /* this packet already seen ? */
 2320                 if (replay->bitmap[fr] & (1 << (diff % 8)))
 2321                         return 0;
 2322 
 2323                 /* out of order but good */
 2324                 return 1;
 2325         }
 2326 }
 2327 
 2328 /*
 2329  * check replay counter whether to update or not.
 2330  * OUT: 0:      OK
 2331  *      1:      NG
 2332  * XXX need to update for 64bit sequence number - 2401bis
 2333  */
 2334 int
 2335 ipsec_updatereplay(seq, sav)
 2336         u_int32_t seq;
 2337         struct secasvar *sav;
 2338 {
 2339         struct secreplay *replay;
 2340         u_int64_t diff;
 2341         int fr;
 2342         u_int32_t wsizeb;       /* constant: bits of window size */
 2343         int frlast;             /* constant: last frame */
 2344 
 2345         /* sanity check */
 2346         if (sav == NULL)
 2347                 panic("ipsec_chkreplay: NULL pointer was passed.");
 2348 
 2349         replay = sav->replay;
 2350 
 2351         if (replay->wsize == 0)
 2352                 goto ok;        /* no need to check replay. */
 2353 
 2354         /* constant */
 2355         frlast = replay->wsize - 1;
 2356         wsizeb = replay->wsize << 3;
 2357 
 2358         /* sequence number of 0 is invalid */
 2359         if (seq == 0)
 2360                 return 1;
 2361 
 2362         /* first time */
 2363         if (replay->count == 0) {
 2364                 replay->lastseq = seq;
 2365                 bzero(replay->bitmap, replay->wsize);
 2366                 replay->bitmap[frlast] = 1;
 2367                 goto ok;
 2368         }
 2369 
 2370         if (seq > replay->lastseq) {
 2371                 /* seq is larger than lastseq. */
 2372                 diff = seq - replay->lastseq;
 2373 
 2374                 /* new larger sequence number */
 2375                 if (diff < wsizeb) {
 2376                         /* In window */
 2377                         /* set bit for this packet */
 2378                         vshiftl(replay->bitmap, diff, replay->wsize);
 2379                         replay->bitmap[frlast] |= 1;
 2380                 } else {
 2381                         /* this packet has a "way larger" */
 2382                         bzero(replay->bitmap, replay->wsize);
 2383                         replay->bitmap[frlast] = 1;
 2384                 }
 2385                 replay->lastseq = seq;
 2386 
 2387                 /* larger is good */
 2388         } else {
 2389                 /* seq is equal or less than lastseq. */
 2390                 diff = replay->lastseq - seq;
 2391 
 2392                 /* over range to check, i.e. too old or wrapped */
 2393                 if (diff >= wsizeb)
 2394                         return 1;
 2395 
 2396                 fr = frlast - diff / 8;
 2397 
 2398                 /* this packet already seen ? */
 2399                 if (replay->bitmap[fr] & (1 << (diff % 8)))
 2400                         return 1;
 2401 
 2402                 /* mark as seen */
 2403                 replay->bitmap[fr] |= (1 << (diff % 8));
 2404 
 2405                 /* out of order but good */
 2406         }
 2407 
 2408 ok:
 2409         if (replay->count == 0xffffffff) {
 2410 
 2411                 /* set overflow flag */
 2412                 replay->overflow++;
 2413 
 2414                 /* don't increment, no more packets accepted */
 2415                 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
 2416                         return 1;
 2417 
 2418                 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
 2419                     replay->overflow, ipsec_logsastr(sav)));
 2420         }
 2421 
 2422         replay->count++;
 2423 
 2424         return 0;
 2425 }
 2426 
 2427 /*
 2428  * shift variable length buffer to left.
 2429  * IN:  bitmap: pointer to the buffer
 2430  *      nbit:   the number of to shift.
 2431  *      wsize:  buffer size (bytes).
 2432  */
 2433 static void
 2434 vshiftl(bitmap, nbit, wsize)
 2435         unsigned char *bitmap;
 2436         int nbit, wsize;
 2437 {
 2438         int s, j, i;
 2439         unsigned char over;
 2440 
 2441         for (j = 0; j < nbit; j += 8) {
 2442                 s = (nbit - j < 8) ? (nbit - j): 8;
 2443                 bitmap[0] <<= s;
 2444                 for (i = 1; i < wsize; i++) {
 2445                         over = (bitmap[i] >> (8 - s));
 2446                         bitmap[i] <<= s;
 2447                         bitmap[i - 1] |= over;
 2448                 }
 2449         }
 2450 
 2451         return;
 2452 }
 2453 
 2454 const char *
 2455 ipsec4_logpacketstr(ip, spi)
 2456         struct ip *ip;
 2457         u_int32_t spi;
 2458 {
 2459         static char buf[256];
 2460         char *p;
 2461         u_int8_t *s, *d;
 2462 
 2463         s = (u_int8_t *)(&ip->ip_src);
 2464         d = (u_int8_t *)(&ip->ip_dst);
 2465 
 2466         p = buf;
 2467         snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
 2468         while (p && *p)
 2469                 p++;
 2470         snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u",
 2471                 s[0], s[1], s[2], s[3]);
 2472         while (p && *p)
 2473                 p++;
 2474         snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u",
 2475                 d[0], d[1], d[2], d[3]);
 2476         while (p && *p)
 2477                 p++;
 2478         snprintf(p, sizeof(buf) - (p - buf), ")");
 2479 
 2480         return buf;
 2481 }
 2482 
 2483 #ifdef INET6
 2484 const char *
 2485 ipsec6_logpacketstr(ip6, spi)
 2486         struct ip6_hdr *ip6;
 2487         u_int32_t spi;
 2488 {
 2489         static char buf[256];
 2490         char *p;
 2491 
 2492         p = buf;
 2493         snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
 2494         while (p && *p)
 2495                 p++;
 2496         snprintf(p, sizeof(buf) - (p - buf), "src=%s",
 2497                 ip6_sprintf(&ip6->ip6_src));
 2498         while (p && *p)
 2499                 p++;
 2500         snprintf(p, sizeof(buf) - (p - buf), " dst=%s",
 2501                 ip6_sprintf(&ip6->ip6_dst));
 2502         while (p && *p)
 2503                 p++;
 2504         snprintf(p, sizeof(buf) - (p - buf), ")");
 2505 
 2506         return buf;
 2507 }
 2508 #endif /* INET6 */
 2509 
 2510 const char *
 2511 ipsec_logsastr(sav)
 2512         struct secasvar *sav;
 2513 {
 2514         static char buf[256];
 2515         char *p;
 2516         struct secasindex *saidx = &sav->sah->saidx;
 2517 
 2518         /* validity check */
 2519         if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
 2520                         != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family)
 2521                 panic("ipsec_logsastr: family mismatched.");
 2522 
 2523         p = buf;
 2524         snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
 2525         while (p && *p)
 2526                 p++;
 2527         if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) {
 2528                 u_int8_t *s, *d;
 2529                 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr;
 2530                 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr;
 2531                 snprintf(p, sizeof(buf) - (p - buf),
 2532                         "src=%d.%d.%d.%d dst=%d.%d.%d.%d",
 2533                         s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
 2534         }
 2535 #ifdef INET6
 2536         else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) {
 2537                 snprintf(p, sizeof(buf) - (p - buf),
 2538                         "src=%s",
 2539                         ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr));
 2540                 while (p && *p)
 2541                         p++;
 2542                 snprintf(p, sizeof(buf) - (p - buf),
 2543                         " dst=%s",
 2544                         ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr));
 2545         }
 2546 #endif
 2547         while (p && *p)
 2548                 p++;
 2549         snprintf(p, sizeof(buf) - (p - buf), ")");
 2550 
 2551         return buf;
 2552 }
 2553 
 2554 void
 2555 ipsec_dumpmbuf(m)
 2556         struct mbuf *m;
 2557 {
 2558         int totlen;
 2559         int i;
 2560         u_char *p;
 2561 
 2562         totlen = 0;
 2563         printf("---\n");
 2564         while (m) {
 2565                 p = mtod(m, u_char *);
 2566                 for (i = 0; i < m->m_len; i++) {
 2567                         printf("%02x ", p[i]);
 2568                         totlen++;
 2569                         if (totlen % 16 == 0)
 2570                                 printf("\n");
 2571                 }
 2572                 m = m->m_next;
 2573         }
 2574         if (totlen % 16 != 0)
 2575                 printf("\n");
 2576         printf("---\n");
 2577 }
 2578 
 2579 #ifdef INET
 2580 static int
 2581 ipsec4_checksa(isr, state)
 2582         struct ipsecrequest *isr;
 2583         struct ipsec_output_state *state;
 2584 {
 2585         struct ip *ip;
 2586         struct secasindex saidx;
 2587         struct sockaddr_in *sin;
 2588 
 2589         /* make SA index for search proper SA */
 2590         ip = mtod(state->m, struct ip *);
 2591         bcopy(&isr->saidx, &saidx, sizeof(saidx));
 2592         saidx.mode = isr->saidx.mode;
 2593         saidx.reqid = isr->saidx.reqid;
 2594         sin = (struct sockaddr_in *)&saidx.src;
 2595         if (sin->sin_len == 0) {
 2596                 bzero(sin, sizeof(*sin));
 2597                 sin->sin_len = sizeof(*sin);
 2598                 sin->sin_family = AF_INET;
 2599                 sin->sin_port = IPSEC_PORT_ANY;
 2600                 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(sin->sin_addr));
 2601         }
 2602         sin = (struct sockaddr_in *)&saidx.dst;
 2603         if (sin->sin_len == 0) {
 2604                 bzero(sin, sizeof(*sin));
 2605                 sin->sin_len = sizeof(*sin);
 2606                 sin->sin_family = AF_INET;
 2607                 sin->sin_port = IPSEC_PORT_ANY;
 2608                 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(sin->sin_addr));
 2609         }
 2610 
 2611         return key_checkrequest(isr, &saidx);
 2612 }
 2613 /*
 2614  * IPsec output logic for IPv4.
 2615  */
 2616 int
 2617 ipsec4_output(state, sp, flags)
 2618         struct ipsec_output_state *state;
 2619         struct secpolicy *sp;
 2620         int flags;
 2621 {
 2622         struct ip *ip = NULL;
 2623         struct ipsecrequest *isr = NULL;
 2624         int s;
 2625         int error;
 2626         struct sockaddr_in *dst4;
 2627 
 2628         if (!state)
 2629                 panic("state == NULL in ipsec4_output");
 2630         if (!state->m)
 2631                 panic("state->m == NULL in ipsec4_output");
 2632         if (!state->ro)
 2633                 panic("state->ro == NULL in ipsec4_output");
 2634         if (!state->dst)
 2635                 panic("state->dst == NULL in ipsec4_output");
 2636         state->encap = 0;
 2637 
 2638         KEYDEBUG(KEYDEBUG_IPSEC_DATA,
 2639                 printf("ipsec4_output: applyed SP\n");
 2640                 kdebug_secpolicy(sp));
 2641 
 2642         for (isr = sp->req; isr != NULL; isr = isr->next) {
 2643 
 2644 #if 0   /* give up to check restriction of transport mode */
 2645         /* XXX but should be checked somewhere */
 2646                 /*
 2647                  * some of the IPsec operation must be performed only in
 2648                  * originating case.
 2649                  */
 2650                 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT
 2651                  && (flags & IP_FORWARDING))
 2652                         continue;
 2653 #endif
 2654                 error = ipsec4_checksa(isr, state);
 2655                 if (error != 0) {
 2656                         /*
 2657                          * IPsec processing is required, but no SA found.
 2658                          * I assume that key_acquire() had been called
 2659                          * to get/establish the SA. Here I discard
 2660                          * this packet because it is responsibility for
 2661                          * upper layer to retransmit the packet.
 2662                          */
 2663                         ipsecstat.out_nosa++;
 2664                         goto bad;
 2665                 }
 2666 
 2667                 /* validity check */
 2668                 if (isr->sav == NULL) {
 2669                         switch (ipsec_get_reqlevel(isr, AF_INET)) {
 2670                         case IPSEC_LEVEL_USE:
 2671                                 continue;
 2672                         case IPSEC_LEVEL_REQUIRE:
 2673                                 if (isr->saidx.proto == AF_INET ||
 2674                                     isr->saidx.proto == AF_INET6)
 2675                                         break;
 2676                                 /* must be not reached here. */
 2677                                 panic("ipsec4_output: no SA found, but required.");
 2678                         }
 2679                 }
 2680 
 2681                 /*
 2682                  * If there is no valid SA, we give up to process any
 2683                  * more.  In such a case, the SA's status is changed
 2684                  * from DYING to DEAD after allocating.  If a packet
 2685                  * send to the receiver by dead SA, the receiver can
 2686                  * not decode a packet because SA has been dead.
 2687                  */
 2688                 if (isr->sav->state != SADB_SASTATE_MATURE
 2689                  && isr->sav->state != SADB_SASTATE_DYING) {
 2690                         ipsecstat.out_nosa++;
 2691                         error = EINVAL;
 2692                         goto bad;
 2693                 }
 2694 
 2695                 /*
 2696                  * There may be the case that SA status will be changed when
 2697                  * we are refering to one. So calling splsoftnet().
 2698                  */
 2699                 s = splsoftnet();
 2700 
 2701                 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
 2702                         /*
 2703                          * build IPsec tunnel.
 2704                          */
 2705                         /* XXX should be processed with other familiy */
 2706                         if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) {
 2707                                 ipseclog((LOG_ERR, "ipsec4_output: "
 2708                                     "family mismatched between inner and outer spi=%u\n",
 2709                                     (u_int32_t)ntohl(isr->sav->spi)));
 2710                                 splx(s);
 2711                                 error = EAFNOSUPPORT;
 2712                                 goto bad;
 2713                         }
 2714 
 2715                         state->m = ipsec4_splithdr(state->m);
 2716                         if (!state->m) {
 2717                                 splx(s);
 2718                                 error = ENOMEM;
 2719                                 goto bad;
 2720                         }
 2721                         error = ipsec4_encapsulate(state->m, isr->sav);
 2722                         splx(s);
 2723                         if (error) {
 2724                                 state->m = NULL;
 2725                                 goto bad;
 2726                         }
 2727                         ip = mtod(state->m, struct ip *);
 2728 
 2729                         state->ro = &isr->sav->sah->sa_route;
 2730                         state->dst = (struct sockaddr *)&state->ro->ro_dst;
 2731                         dst4 = (struct sockaddr_in *)state->dst;
 2732                         if (state->ro->ro_rt
 2733                          && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
 2734                           || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) {
 2735                                 RTFREE(state->ro->ro_rt);
 2736                                 bzero((caddr_t)state->ro, sizeof (*state->ro));
 2737                         }
 2738                         if (state->ro->ro_rt == 0) {
 2739                                 dst4->sin_family = AF_INET;
 2740                                 dst4->sin_len = sizeof(*dst4);
 2741                                 dst4->sin_addr = ip->ip_dst;
 2742                                 rtalloc(state->ro);
 2743                         }
 2744                         if (state->ro->ro_rt == 0) {
 2745                                 ipstat.ips_noroute++;
 2746                                 error = EHOSTUNREACH;
 2747                                 goto bad;
 2748                         }
 2749 
 2750                         /* adjust state->dst if tunnel endpoint is offlink */
 2751                         if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
 2752                                 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
 2753                                 dst4 = (struct sockaddr_in *)state->dst;
 2754                         }
 2755 
 2756                         state->encap++;
 2757                 } else
 2758                         splx(s);
 2759 
 2760                 state->m = ipsec4_splithdr(state->m);
 2761                 if (!state->m) {
 2762                         error = ENOMEM;
 2763                         goto bad;
 2764                 }
 2765                 switch (isr->saidx.proto) {
 2766                 case IPPROTO_ESP:
 2767 #ifdef IPSEC_ESP
 2768                         if ((error = esp4_output(state->m, isr)) != 0) {
 2769                                 state->m = NULL;
 2770                                 goto bad;
 2771                         }
 2772                         break;
 2773 #else
 2774                         m_freem(state->m);
 2775                         state->m = NULL;
 2776                         error = EINVAL;
 2777                         goto bad;
 2778 #endif
 2779                 case IPPROTO_AH:
 2780                         if ((error = ah4_output(state->m, isr)) != 0) {
 2781                                 state->m = NULL;
 2782                                 goto bad;
 2783                         }
 2784                         break;
 2785                 case IPPROTO_IPCOMP:
 2786                         if ((error = ipcomp4_output(state->m, isr)) != 0) {
 2787                                 state->m = NULL;
 2788                                 goto bad;
 2789                         }
 2790                         break;
 2791                 case IPPROTO_IPV4:
 2792                         break;
 2793                 case IPPROTO_IPV6:
 2794                         ipseclog((LOG_ERR, "ipsec4_output: "
 2795                             "family mismatched between inner and outer "
 2796                             "header\n"));
 2797                         error = EAFNOSUPPORT;
 2798                         goto bad;
 2799                 default:
 2800                         ipseclog((LOG_ERR,
 2801                             "ipsec4_output: unknown ipsec protocol %d\n",
 2802                             isr->saidx.proto));
 2803                         m_freem(state->m);
 2804                         state->m = NULL;
 2805                         error = EINVAL;
 2806                         goto bad;
 2807                 }
 2808 
 2809                 if (state->m == 0) {
 2810                         error = ENOMEM;
 2811                         goto bad;
 2812                 }
 2813                 ip = mtod(state->m, struct ip *);
 2814         }
 2815 
 2816         return 0;
 2817 
 2818 bad:
 2819         m_freem(state->m);
 2820         state->m = NULL;
 2821         return error;
 2822 }
 2823 #endif
 2824 
 2825 #ifdef INET6
 2826 static int
 2827 ipsec6_checksa(isr, state, tunnel)
 2828         struct ipsecrequest *isr;
 2829         struct ipsec_output_state *state;
 2830         int tunnel;
 2831 {
 2832         struct ip6_hdr *ip6;
 2833         struct secasindex saidx;
 2834         struct sockaddr_in6 *sin6;
 2835 
 2836         if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
 2837 #ifdef DIAGNOSTIC
 2838                 if (!tunnel)
 2839                         panic("ipsec6_checksa/inconsistent tunnel attribute");
 2840 #endif
 2841                 /* When tunnel mode, SA peers must be specified. */
 2842                 return key_checkrequest(isr, &isr->saidx);
 2843         }
 2844 
 2845         /* make SA index for search proper SA */
 2846         ip6 = mtod(state->m, struct ip6_hdr *);
 2847         if (tunnel) {
 2848                 bzero(&saidx, sizeof(saidx));
 2849                 saidx.proto = isr->saidx.proto;
 2850         } else
 2851                 bcopy(&isr->saidx, &saidx, sizeof(saidx));
 2852         saidx.mode = isr->saidx.mode;
 2853         saidx.reqid = isr->saidx.reqid;
 2854         sin6 = (struct sockaddr_in6 *)&saidx.src;
 2855         if (sin6->sin6_len == 0 || tunnel) {
 2856                 bzero(sin6, sizeof(*sin6));
 2857                 sin6->sin6_len = sizeof(*sin6);
 2858                 sin6->sin6_family = AF_INET6;
 2859                 sin6->sin6_port = IPSEC_PORT_ANY;
 2860                 in6_recoverscope(sin6, &ip6->ip6_src, NULL);
 2861         }
 2862         sin6 = (struct sockaddr_in6 *)&saidx.dst;
 2863         if (sin6->sin6_len == 0 || tunnel) {
 2864                 bzero(sin6, sizeof(*sin6));
 2865                 sin6->sin6_len = sizeof(*sin6);
 2866                 sin6->sin6_family = AF_INET6;
 2867                 sin6->sin6_port = IPSEC_PORT_ANY;
 2868                 in6_recoverscope(sin6, &ip6->ip6_dst, NULL);
 2869         }
 2870 
 2871         return key_checkrequest(isr, &saidx);
 2872 }
 2873 /*
 2874  * IPsec output logic for IPv6, transport mode.
 2875  */
 2876 int
 2877 ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun)
 2878         struct ipsec_output_state *state;
 2879         u_char *nexthdrp;
 2880         struct mbuf *mprev;
 2881         struct secpolicy *sp;
 2882         int flags;
 2883         int *tun;
 2884 {
 2885         struct ip6_hdr *ip6;
 2886         struct ipsecrequest *isr = NULL;
 2887         int error = 0;
 2888         int plen;
 2889 
 2890         if (!state)
 2891                 panic("state == NULL in ipsec6_output_trans");
 2892         if (!state->m)
 2893                 panic("state->m == NULL in ipsec6_output_trans");
 2894         if (!nexthdrp)
 2895                 panic("nexthdrp == NULL in ipsec6_output_trans");
 2896         if (!mprev)
 2897                 panic("mprev == NULL in ipsec6_output_trans");
 2898         if (!sp)
 2899                 panic("sp == NULL in ipsec6_output_trans");
 2900         if (!tun)
 2901                 panic("tun == NULL in ipsec6_output_trans");
 2902 
 2903         KEYDEBUG(KEYDEBUG_IPSEC_DATA,
 2904                 printf("ipsec6_output_trans: applyed SP\n");
 2905                 kdebug_secpolicy(sp));
 2906 
 2907         *tun = 0;
 2908         for (isr = sp->req; isr; isr = isr->next) {
 2909                 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
 2910                         /* the rest will be handled by ipsec6_output_tunnel() */
 2911                         break;
 2912                 }
 2913 
 2914                 error = ipsec6_checksa(isr, state, 0);
 2915                 if (error == ENOENT) {
 2916                         /*
 2917                          * IPsec processing is required, but no SA found.
 2918                          * I assume that key_acquire() had been called
 2919                          * to get/establish the SA. Here I discard
 2920                          * this packet because it is responsibility for
 2921                          * upper layer to retransmit the packet.
 2922                          */
 2923                         ipsec6stat.out_nosa++;
 2924 
 2925                         /*
 2926                          * Notify the fact that the packet is discarded
 2927                          * to ourselves. I believe this is better than
 2928                          * just silently discarding. (jinmei@kame.net)
 2929                          * XXX: should we restrict the error to TCP packets?
 2930                          * XXX: should we directly notify sockets via
 2931                          *      pfctlinputs?
 2932                          *
 2933                          * Noone have initialized rcvif until this point,
 2934                          * so clear it.
 2935                          */
 2936                         if ((state->m->m_flags & M_PKTHDR) != 0)
 2937                                 state->m->m_pkthdr.rcvif = NULL;
 2938                         icmp6_error(state->m, ICMP6_DST_UNREACH,
 2939                                     ICMP6_DST_UNREACH_ADMIN, 0);
 2940                         state->m = NULL; /* icmp6_error freed the mbuf */
 2941                         goto bad;
 2942                 }
 2943 
 2944                 /* validity check */
 2945                 if (isr->sav == NULL) {
 2946                         switch (ipsec_get_reqlevel(isr, AF_INET6)) {
 2947                         case IPSEC_LEVEL_USE:
 2948                                 continue;
 2949                         case IPSEC_LEVEL_REQUIRE:
 2950                                 /* must be not reached here. */
 2951                                 panic("ipsec6_output_trans: no SA found, but required.");
 2952                         }
 2953                 }
 2954 
 2955                 /*
 2956                  * If there is no valid SA, we give up to process.
 2957                  * see same place at ipsec4_output().
 2958                  */
 2959                 if (isr->sav->state != SADB_SASTATE_MATURE
 2960                  && isr->sav->state != SADB_SASTATE_DYING) {
 2961                         ipsec6stat.out_nosa++;
 2962                         error = EINVAL;
 2963                         goto bad;
 2964                 }
 2965 
 2966                 switch (isr->saidx.proto) {
 2967                 case IPPROTO_ESP:
 2968 #ifdef IPSEC_ESP
 2969                         error = esp6_output(state->m, nexthdrp, mprev->m_next, isr);
 2970 #else
 2971                         m_freem(state->m);
 2972                         error = EINVAL;
 2973 #endif
 2974                         break;
 2975                 case IPPROTO_AH:
 2976                         error = ah6_output(state->m, nexthdrp, mprev->m_next, isr);
 2977                         break;
 2978                 case IPPROTO_IPCOMP:
 2979                         error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr);
 2980                         break;
 2981                 default:
 2982                         ipseclog((LOG_ERR, "ipsec6_output_trans: "
 2983                             "unknown ipsec protocol %d\n", isr->saidx.proto));
 2984                         m_freem(state->m);
 2985                         ipsec6stat.out_inval++;
 2986                         error = EINVAL;
 2987                         break;
 2988                 }
 2989                 if (error) {
 2990                         state->m = NULL;
 2991                         goto bad;
 2992                 }
 2993                 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
 2994                 if (plen > IPV6_MAXPACKET) {
 2995                         ipseclog((LOG_ERR, "ipsec6_output_trans: "
 2996                             "IPsec with IPv6 jumbogram is not supported\n"));
 2997                         ipsec6stat.out_inval++;
 2998                         error = EINVAL; /* XXX */
 2999                         goto bad;
 3000                 }
 3001                 ip6 = mtod(state->m, struct ip6_hdr *);
 3002                 ip6->ip6_plen = htons(plen);
 3003         }
 3004 
 3005         /* if we have more to go, we need a tunnel mode processing */
 3006         if (isr != NULL)
 3007                 *tun = 1;
 3008 
 3009         return 0;
 3010 
 3011 bad:
 3012         m_freem(state->m);
 3013         state->m = NULL;
 3014         return error;
 3015 }
 3016 
 3017 /*
 3018  * IPsec output logic for IPv6, tunnel mode.
 3019  */
 3020 int
 3021 ipsec6_output_tunnel(state, sp, flags)
 3022         struct ipsec_output_state *state;
 3023         struct secpolicy *sp;
 3024         int flags;
 3025 {
 3026         struct ip6_hdr *ip6;
 3027         struct ipsecrequest *isr = NULL;
 3028         int error = 0;
 3029         int plen;
 3030         struct sockaddr_in6* dst6;
 3031         int s;
 3032 
 3033         if (!state)
 3034                 panic("state == NULL in ipsec6_output_tunnel");
 3035         if (!state->m)
 3036                 panic("state->m == NULL in ipsec6_output_tunnel");
 3037         if (!sp)
 3038                 panic("sp == NULL in ipsec6_output_tunnel");
 3039 
 3040         KEYDEBUG(KEYDEBUG_IPSEC_DATA,
 3041                 printf("ipsec6_output_tunnel: applyed SP\n");
 3042                 kdebug_secpolicy(sp));
 3043 
 3044         /*
 3045          * transport mode ipsec (before the 1st tunnel mode) is already
 3046          * processed by ipsec6_output_trans().
 3047          */
 3048         for (isr = sp->req; isr; isr = isr->next) {
 3049                 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
 3050                         break;
 3051         }
 3052 
 3053         for (/* already initialized */; isr; isr = isr->next) {
 3054                 error = ipsec6_checksa(isr, state, 1);
 3055                 if (error == ENOENT) {
 3056                         /*
 3057                          * IPsec processing is required, but no SA found.
 3058                          * I assume that key_acquire() had been called
 3059                          * to get/establish the SA. Here I discard
 3060                          * this packet because it is responsibility for
 3061                          * upper layer to retransmit the packet.
 3062                          */
 3063                         ipsec6stat.out_nosa++;
 3064                         error = ENOENT;
 3065                         goto bad;
 3066                 }
 3067 
 3068                 /* validity check */
 3069                 if (isr->sav == NULL) {
 3070                         switch (ipsec_get_reqlevel(isr, AF_INET6)) {
 3071                         case IPSEC_LEVEL_USE:
 3072                                 continue;
 3073                         case IPSEC_LEVEL_REQUIRE:
 3074                                 /* must be not reached here. */
 3075                                 panic("ipsec6_output_tunnel: no SA found, but required.");
 3076                         }
 3077                 }
 3078 
 3079                 /*
 3080                  * If there is no valid SA, we give up to process.
 3081                  * see same place at ipsec4_output().
 3082                  */
 3083                 if (isr->sav->state != SADB_SASTATE_MATURE
 3084                  && isr->sav->state != SADB_SASTATE_DYING) {
 3085                         ipsec6stat.out_nosa++;
 3086                         error = EINVAL;
 3087                         goto bad;
 3088                 }
 3089 
 3090                 /*
 3091                  * There may be the case that SA status will be changed when
 3092                  * we are refering to one. So calling splsoftnet().
 3093                  */
 3094                 s = splsoftnet();
 3095 
 3096                 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
 3097                         /*
 3098                          * build IPsec tunnel.
 3099                          */
 3100                         /* XXX should be processed with other familiy */
 3101                         if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) {
 3102                                 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
 3103                                     "family mismatched between inner and outer, spi=%u\n",
 3104                                     (u_int32_t)ntohl(isr->sav->spi)));
 3105                                 splx(s);
 3106                                 ipsec6stat.out_inval++;
 3107                                 error = EAFNOSUPPORT;
 3108                                 goto bad;
 3109                         }
 3110 
 3111                         state->m = ipsec6_splithdr(state->m);
 3112                         if (!state->m) {
 3113                                 splx(s);
 3114                                 ipsec6stat.out_nomem++;
 3115                                 error = ENOMEM;
 3116                                 goto bad;
 3117                         }
 3118                         error = ipsec6_encapsulate(state->m, isr->sav);
 3119                         splx(s);
 3120                         if (error) {
 3121                                 state->m = 0;
 3122                                 goto bad;
 3123                         }
 3124                         ip6 = mtod(state->m, struct ip6_hdr *);
 3125 
 3126                         state->ro = &isr->sav->sah->sa_route;
 3127                         state->dst = (struct sockaddr *)&state->ro->ro_dst;
 3128                         dst6 = (struct sockaddr_in6 *)state->dst;
 3129                         if (state->ro->ro_rt
 3130                          && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
 3131                           || !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst))) {
 3132                                 RTFREE(state->ro->ro_rt);
 3133                                 bzero((caddr_t)state->ro, sizeof (*state->ro));
 3134                         }
 3135                         if (state->ro->ro_rt == 0) {
 3136                                 bzero(dst6, sizeof(*dst6));
 3137                                 dst6->sin6_family = AF_INET6;
 3138                                 dst6->sin6_len = sizeof(*dst6);
 3139                                 dst6->sin6_addr = ip6->ip6_dst;
 3140                                 rtalloc(state->ro);
 3141                         }
 3142                         if (state->ro->ro_rt == 0) {
 3143                                 ip6stat.ip6s_noroute++;
 3144                                 ipsec6stat.out_noroute++;
 3145                                 error = EHOSTUNREACH;
 3146                                 goto bad;
 3147                         }
 3148 
 3149                         /* adjust state->dst if tunnel endpoint is offlink */
 3150                         if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
 3151                                 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
 3152                                 dst6 = (struct sockaddr_in6 *)state->dst;
 3153                         }
 3154                 } else
 3155                         splx(s);
 3156 
 3157                 state->m = ipsec6_splithdr(state->m);
 3158                 if (!state->m) {
 3159                         ipsec6stat.out_nomem++;
 3160                         error = ENOMEM;
 3161                         goto bad;
 3162                 }
 3163                 ip6 = mtod(state->m, struct ip6_hdr *);
 3164                 switch (isr->saidx.proto) {
 3165                 case IPPROTO_ESP:
 3166 #ifdef IPSEC_ESP
 3167                         error = esp6_output(state->m, &ip6->ip6_nxt,
 3168                                             state->m->m_next, isr);
 3169 #else
 3170                         m_freem(state->m);
 3171                         error = EINVAL;
 3172 #endif
 3173                         break;
 3174                 case IPPROTO_AH:
 3175                         error = ah6_output(state->m, &ip6->ip6_nxt,
 3176                                            state->m->m_next, isr);
 3177                         break;
 3178                 case IPPROTO_IPCOMP:
 3179                         /* XXX code should be here */
 3180                         /* FALLTHROUGH */
 3181                 default:
 3182                         ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
 3183                             "unknown ipsec protocol %d\n", isr->saidx.proto));
 3184                         m_freem(state->m);
 3185                         ipsec6stat.out_inval++;
 3186                         error = EINVAL;
 3187                         break;
 3188                 }
 3189                 if (error) {
 3190                         state->m = NULL;
 3191                         goto bad;
 3192                 }
 3193                 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
 3194                 if (plen > IPV6_MAXPACKET) {
 3195                         ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
 3196                             "IPsec with IPv6 jumbogram is not supported\n"));
 3197                         ipsec6stat.out_inval++;
 3198                         error = EINVAL; /* XXX */
 3199                         goto bad;
 3200                 }
 3201                 ip6 = mtod(state->m, struct ip6_hdr *);
 3202                 ip6->ip6_plen = htons(plen);
 3203         }
 3204 
 3205         return 0;
 3206 
 3207 bad:
 3208         m_freem(state->m);
 3209         state->m = NULL;
 3210         return error;
 3211 }
 3212 #endif /* INET6 */
 3213 
 3214 #ifdef INET
 3215 /*
 3216  * Chop IP header and option off from the payload.
 3217  */
 3218 static struct mbuf *
 3219 ipsec4_splithdr(m)
 3220         struct mbuf *m;
 3221 {
 3222         struct mbuf *mh;
 3223         struct ip *ip;
 3224         int hlen;
 3225 
 3226         if (m->m_len < sizeof(struct ip))
 3227                 panic("ipsec4_splithdr: first mbuf too short");
 3228         ip = mtod(m, struct ip *);
 3229         hlen = ip->ip_hl << 2;
 3230         if (m->m_len > hlen) {
 3231                 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
 3232                 if (!mh) {
 3233                         m_freem(m);
 3234                         return NULL;
 3235                 }
 3236                 M_COPY_PKTHDR(mh, m);
 3237                 MH_ALIGN(mh, hlen);
 3238                 m_tag_delete_chain(m, NULL);
 3239                 m->m_flags &= ~M_PKTHDR;
 3240                 m->m_len -= hlen;
 3241                 m->m_data += hlen;
 3242                 mh->m_next = m;
 3243                 m = mh;
 3244                 m->m_len = hlen;
 3245                 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen);
 3246         } else if (m->m_len < hlen) {
 3247                 m = m_pullup(m, hlen);
 3248                 if (!m)
 3249                         return NULL;
 3250         }
 3251         return m;
 3252 }
 3253 #endif
 3254 
 3255 #ifdef INET6
 3256 static struct mbuf *
 3257 ipsec6_splithdr(m)
 3258         struct mbuf *m;
 3259 {
 3260         struct mbuf *mh;
 3261         struct ip6_hdr *ip6;
 3262         int hlen;
 3263 
 3264         if (m->m_len < sizeof(struct ip6_hdr))
 3265                 panic("ipsec6_splithdr: first mbuf too short");
 3266         ip6 = mtod(m, struct ip6_hdr *);
 3267         hlen = sizeof(struct ip6_hdr);
 3268         if (m->m_len > hlen) {
 3269                 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
 3270                 if (!mh) {
 3271                         m_freem(m);
 3272                         return NULL;
 3273                 }
 3274                 M_COPY_PKTHDR(mh, m);
 3275                 MH_ALIGN(mh, hlen);
 3276                 m_tag_delete_chain(m, NULL);
 3277                 m->m_flags &= ~M_PKTHDR;
 3278                 m->m_len -= hlen;
 3279                 m->m_data += hlen;
 3280                 mh->m_next = m;
 3281                 m = mh;
 3282                 m->m_len = hlen;
 3283                 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
 3284         } else if (m->m_len < hlen) {
 3285                 m = m_pullup(m, hlen);
 3286                 if (!m)
 3287                         return NULL;
 3288         }
 3289         return m;
 3290 }
 3291 #endif
 3292 
 3293 /* validate inbound IPsec tunnel packet. */
 3294 int
 3295 ipsec4_tunnel_validate(ip, nxt0, sav)
 3296         struct ip *ip;
 3297         u_int nxt0;
 3298         struct secasvar *sav;
 3299 {
 3300         u_int8_t nxt = nxt0 & 0xff;
 3301         struct sockaddr_in *sin;
 3302         int hlen;
 3303 
 3304         if (nxt != IPPROTO_IPV4)
 3305                 return 0;
 3306         /* do not decapsulate if the SA is for transport mode only */
 3307         if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
 3308                 return 0;
 3309         hlen = ip->ip_hl << 2;
 3310         if (hlen != sizeof(struct ip))
 3311                 return 0;
 3312         switch (((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) {
 3313         case AF_INET:
 3314                 sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
 3315                 if (bcmp(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst)) != 0)
 3316                         return 0;
 3317                 break;
 3318 #ifdef INET6
 3319         case AF_INET6:
 3320                 /* should be supported, but at this moment we don't. */
 3321                 /*FALLTHROUGH*/
 3322 #endif
 3323         default:
 3324                 return 0;
 3325         }
 3326 
 3327         return 1;
 3328 }
 3329 
 3330 #ifdef INET6
 3331 /* validate inbound IPsec tunnel packet. */
 3332 int
 3333 ipsec6_tunnel_validate(ip6, nxt0, sav)
 3334         struct ip6_hdr *ip6;
 3335         u_int nxt0;
 3336         struct secasvar *sav;
 3337 {
 3338         u_int8_t nxt = nxt0 & 0xff;
 3339         struct sockaddr_in6 *sin6;
 3340         struct in6_addr in6;
 3341 
 3342         if (nxt != IPPROTO_IPV6)
 3343                 return 0;
 3344         /* do not decapsulate if the SA is for transport mode only */
 3345         if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
 3346                 return 0;
 3347         switch (((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) {
 3348         case AF_INET6:
 3349                 sin6 = ((struct sockaddr_in6 *)&sav->sah->saidx.dst);
 3350                 in6_embedscope(&in6, sin6, NULL, NULL);
 3351                 if (!IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &in6))
 3352                         return 0;
 3353                 break;
 3354         case AF_INET:
 3355                 /* should be supported, but at this moment we don't. */
 3356                 /*FALLTHROUGH*/
 3357         default:
 3358                 return 0;
 3359         }
 3360 
 3361         return 1;
 3362 }
 3363 #endif
 3364 
 3365 /*
 3366  * Make a mbuf chain for encryption.
 3367  * If the original mbuf chain contains a mbuf with a cluster,
 3368  * allocate a new cluster and copy the data to the new cluster.
 3369  * XXX: this hack is inefficient, but is necessary to handle cases
 3370  * of TCP retransmission...
 3371  */
 3372 struct mbuf *
 3373 ipsec_copypkt(m)
 3374         struct mbuf *m;
 3375 {
 3376         struct mbuf *n, **mpp, *mnew;
 3377 
 3378         for (n = m, mpp = &m; n; n = n->m_next) {
 3379                 if (n->m_flags & M_EXT) {
 3380                         /*
 3381                          * Make a copy only if there is more than one
 3382                          * references to the cluster.
 3383                          * XXX: is this approach effective?
 3384                          */
 3385                         if (M_READONLY(n))
 3386                         {
 3387                                 int remain, copied;
 3388                                 struct mbuf *mm;
 3389 
 3390                                 if (n->m_flags & M_PKTHDR) {
 3391                                         MGETHDR(mnew, M_DONTWAIT, MT_HEADER);
 3392                                         if (mnew == NULL)
 3393                                                 goto fail;
 3394                                         mnew->m_pkthdr = n->m_pkthdr;
 3395 #if 0
 3396                                         /* XXX: convert to m_tag or delete? */
 3397                                         if (n->m_pkthdr.aux) {
 3398                                                 mnew->m_pkthdr.aux =
 3399                                                     m_copym(n->m_pkthdr.aux,
 3400                                                     0, M_COPYALL, M_DONTWAIT);
 3401                                         }
 3402 #endif
 3403                                         M_COPY_PKTHDR(mnew, n);
 3404                                 }
 3405                                 else {
 3406                                         MGET(mnew, M_DONTWAIT, MT_DATA);
 3407                                         if (mnew == NULL)
 3408                                                 goto fail;
 3409                                 }
 3410                                 mnew->m_len = 0;
 3411                                 mm = mnew;
 3412 
 3413                                 /*
 3414                                  * Copy data. If we don't have enough space to
 3415                                  * store the whole data, allocate a cluster
 3416                                  * or additional mbufs.
 3417                                  * XXX: we don't use m_copyback(), since the
 3418                                  * function does not use clusters and thus is
 3419                                  * inefficient.
 3420                                  */
 3421                                 remain = n->m_len;
 3422                                 copied = 0;
 3423                                 while (1) {
 3424                                         int len;
 3425                                         struct mbuf *mn;
 3426 
 3427                                         if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN))
 3428                                                 len = remain;
 3429                                         else { /* allocate a cluster */
 3430                                                 MCLGET(mm, M_DONTWAIT);
 3431                                                 if (!(mm->m_flags & M_EXT)) {
 3432                                                         m_free(mm);
 3433                                                         goto fail;
 3434                                                 }
 3435                                                 len = remain < MCLBYTES ?
 3436                                                         remain : MCLBYTES;
 3437                                         }
 3438 
 3439                                         bcopy(n->m_data + copied, mm->m_data,
 3440                                               len);
 3441 
 3442                                         copied += len;
 3443                                         remain -= len;
 3444                                         mm->m_len = len;
 3445 
 3446                                         if (remain <= 0) /* completed? */
 3447                                                 break;
 3448 
 3449                                         /* need another mbuf */
 3450                                         MGETHDR(mn, M_DONTWAIT, MT_HEADER);
 3451                                         if (mn == NULL)
 3452                                                 goto fail;
 3453                                         mn->m_pkthdr.rcvif = NULL;
 3454                                         mm->m_next = mn;
 3455                                         mm = mn;
 3456                                 }
 3457 
 3458                                 /* adjust chain */
 3459                                 mm->m_next = m_free(n);
 3460                                 n = mm;
 3461                                 *mpp = mnew;
 3462                                 mpp = &n->m_next;
 3463 
 3464                                 continue;
 3465                         }
 3466                 }
 3467                 *mpp = n;
 3468                 mpp = &n->m_next;
 3469         }
 3470 
 3471         return (m);
 3472   fail:
 3473         m_freem(m);
 3474         return (NULL);
 3475 }
 3476 
 3477 static struct m_tag *
 3478 ipsec_addaux(m)
 3479         struct mbuf *m;
 3480 {
 3481         struct m_tag *mtag;
 3482 
 3483         mtag = m_tag_find(m, PACKET_TAG_ESP, NULL);
 3484         if (mtag == NULL) {
 3485                 mtag = m_tag_get(PACKET_TAG_ESP, sizeof(struct ipsecaux),
 3486                     M_NOWAIT);
 3487                 if (mtag != NULL)
 3488                         m_tag_prepend(m, mtag);
 3489         }
 3490         if (mtag == NULL)
 3491                 return NULL;    /* ENOBUFS */
 3492         /* XXX is this necessary? */
 3493         bzero((void *)(mtag + 1), sizeof(struct ipsecaux));
 3494         return mtag;
 3495 }
 3496 
 3497 static struct m_tag *
 3498 ipsec_findaux(m)
 3499         struct mbuf *m;
 3500 {
 3501         return m_tag_find(m, PACKET_TAG_ESP, NULL);
 3502 }
 3503 
 3504 void
 3505 ipsec_delaux(m)
 3506         struct mbuf *m;
 3507 {
 3508         struct m_tag *mtag;
 3509 
 3510         mtag = m_tag_find(m, PACKET_TAG_ESP, NULL);
 3511         if (mtag != NULL)
 3512                 m_tag_delete(m, mtag);
 3513 }
 3514 
 3515 /* if the aux buffer is unnecessary, nuke it. */
 3516 static void
 3517 ipsec_optaux(m, mtag)
 3518         struct mbuf *m;
 3519         struct m_tag *mtag;
 3520 {
 3521         struct ipsecaux *aux;
 3522 
 3523         if (mtag == NULL)
 3524                 return;
 3525         aux = (struct ipsecaux *)(mtag + 1);
 3526         if (!aux->so && !aux->sp)
 3527                 ipsec_delaux(m);
 3528 }
 3529 
 3530 int
 3531 ipsec_addhist(m, proto, spi)
 3532         struct mbuf *m;
 3533         int proto;
 3534         u_int32_t spi;
 3535 {
 3536         struct m_tag *mtag;
 3537         struct ipsecaux *aux;
 3538 
 3539         mtag = ipsec_addaux(m);
 3540         if (mtag == NULL)
 3541                 return ENOBUFS;
 3542         aux = (struct ipsecaux *)(mtag + 1);
 3543         aux->hdrs++;
 3544         return 0;
 3545 }
 3546 
 3547 int
 3548 ipsec_getnhist(m)
 3549         struct mbuf *m;
 3550 {
 3551         struct m_tag *mtag;
 3552         struct ipsecaux *aux;
 3553 
 3554         mtag = ipsec_findaux(m);
 3555         if (mtag == NULL)
 3556                 return 0;
 3557         aux = (struct ipsecaux *)(mtag + 1);
 3558         return aux->hdrs;
 3559 }
 3560 
 3561 struct ipsec_history *
 3562 ipsec_gethist(m, lenp)
 3563         struct mbuf *m;
 3564         int *lenp;
 3565 {
 3566 
 3567         panic("ipsec_gethist: obsolete API");
 3568 }
 3569 
 3570 void
 3571 ipsec_clearhist(m)
 3572         struct mbuf *m;
 3573 {
 3574         struct m_tag *mtag;
 3575 
 3576         mtag = ipsec_findaux(m);
 3577         ipsec_optaux(m, mtag);
 3578 }
 3579 
 3580 /*
 3581  * System control for IPSEC
 3582  */
 3583 u_char  ipsecctlermap[PRC_NCMDS] = {
 3584         0,              0,              0,              0,
 3585         0,              EMSGSIZE,       EHOSTDOWN,      EHOSTUNREACH,
 3586         EHOSTUNREACH,   EHOSTUNREACH,   ECONNREFUSED,   ECONNREFUSED,
 3587         EMSGSIZE,       EHOSTUNREACH,   0,              0,
 3588         0,              0,              0,              0,
 3589         ENOPROTOOPT
 3590 };
 3591 
 3592 /*
 3593  * sysctl helper routine for some net.inet.ipsec and net.inet6.ipnet6
 3594  * nodes.  ensures that the given value is correct and clears the
 3595  * ipsec cache accordingly.
 3596  */
 3597 static int
 3598 sysctl_ipsec(SYSCTLFN_ARGS)
 3599 {
 3600         int error, t;
 3601         struct sysctlnode node;
 3602 
 3603         node = *rnode;
 3604         if (rnode->sysctl_num == IPSECCTL_DEF_POLICY)
 3605                 t = (*((struct secpolicy**)rnode->sysctl_data))->policy;
 3606         else
 3607                 t = *(int*)rnode->sysctl_data;
 3608         node.sysctl_data = &t;
 3609         error = sysctl_lookup(SYSCTLFN_CALL(&node));
 3610         if (error || newp == NULL)
 3611                 return (error);
 3612 
 3613         switch (rnode->sysctl_num) {
 3614         case IPSECCTL_DEF_ESP_TRANSLEV:
 3615         case IPSECCTL_DEF_ESP_NETLEV:
 3616         case IPSECCTL_DEF_AH_TRANSLEV:
 3617         case IPSECCTL_DEF_AH_NETLEV:
 3618                 if (t != IPSEC_LEVEL_USE && 
 3619                     t != IPSEC_LEVEL_REQUIRE)
 3620                         return (EINVAL);
 3621                 ipsec_invalpcbcacheall();
 3622                 break;
 3623         case IPSECCTL_DEF_POLICY:
 3624                 if (t != IPSEC_POLICY_DISCARD &&
 3625                     t != IPSEC_POLICY_NONE)
 3626                         return (EINVAL);
 3627                 ipsec_invalpcbcacheall();
 3628                 break;
 3629         default:
 3630                 return (EINVAL);
 3631         }
 3632 
 3633         if (rnode->sysctl_num == IPSECCTL_DEF_POLICY)
 3634                 (*((struct secpolicy**)rnode->sysctl_data))->policy = t;
 3635         else
 3636                 *(int*)rnode->sysctl_data = t;
 3637 
 3638         return (0);
 3639 }
 3640 
 3641 SYSCTL_SETUP(sysctl_net_inet_ipsec_setup, "sysctl net.inet.ipsec subtree setup")
 3642 {
 3643 
 3644         sysctl_createv(clog, 0, NULL, NULL,
 3645                        CTLFLAG_PERMANENT,
 3646                        CTLTYPE_NODE, "net", NULL,
 3647                        NULL, 0, NULL, 0,
 3648                        CTL_NET, CTL_EOL);
 3649         sysctl_createv(clog, 0, NULL, NULL,
 3650                        CTLFLAG_PERMANENT,
 3651                        CTLTYPE_NODE, "inet", NULL,
 3652                        NULL, 0, NULL, 0,
 3653                        CTL_NET, PF_INET, CTL_EOL);
 3654         sysctl_createv(clog, 0, NULL, NULL,
 3655                        CTLFLAG_PERMANENT,
 3656                        CTLTYPE_NODE, "ipsec",
 3657                        SYSCTL_DESCR("IPv4 related IPSec settings"),
 3658                        NULL, 0, NULL, 0,
 3659                        CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL);
 3660 
 3661         sysctl_createv(clog, 0, NULL, NULL,
 3662                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3663                        CTLTYPE_STRUCT, "stats",
 3664                        SYSCTL_DESCR("IPSec statistics and counters"),
 3665                        NULL, 0, &ipsecstat, sizeof(ipsecstat),
 3666                        CTL_NET, PF_INET, IPPROTO_AH,
 3667                        IPSECCTL_STATS, CTL_EOL);
 3668         sysctl_createv(clog, 0, NULL, NULL,
 3669                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3670                        CTLTYPE_INT, "def_policy",
 3671                        SYSCTL_DESCR("Default action for non-IPSec packets"),
 3672                        sysctl_ipsec, 0, &ip4_def_policy, 0,
 3673                        CTL_NET, PF_INET, IPPROTO_AH,
 3674                        IPSECCTL_DEF_POLICY, CTL_EOL);
 3675         sysctl_createv(clog, 0, NULL, NULL,
 3676                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3677                        CTLTYPE_INT, "esp_trans_deflev",
 3678                        SYSCTL_DESCR("Default required security level for "
 3679                                     "transport mode traffic"),
 3680                        sysctl_ipsec, 0, &ip4_esp_trans_deflev, 0,
 3681                        CTL_NET, PF_INET, IPPROTO_AH,
 3682                        IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
 3683         sysctl_createv(clog, 0, NULL, NULL,
 3684                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3685                        CTLTYPE_INT, "esp_net_deflev",
 3686                        SYSCTL_DESCR("Default required security level for "
 3687                                     "tunneled traffic"),
 3688                        sysctl_ipsec, 0, &ip4_esp_net_deflev, 0,
 3689                        CTL_NET, PF_INET, IPPROTO_AH,
 3690                        IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
 3691         sysctl_createv(clog, 0, NULL, NULL,
 3692                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3693                        CTLTYPE_INT, "ah_trans_deflev",
 3694                        SYSCTL_DESCR("Default required security level for "
 3695                                     "transport mode headers"),
 3696                        sysctl_ipsec, 0, &ip4_ah_trans_deflev, 0,
 3697                        CTL_NET, PF_INET, IPPROTO_AH,
 3698                        IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
 3699         sysctl_createv(clog, 0, NULL, NULL,
 3700                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3701                        CTLTYPE_INT, "ah_net_deflev",
 3702                        SYSCTL_DESCR("Default required security level for "
 3703                                     "tunneled headers"),
 3704                        sysctl_ipsec, 0, &ip4_ah_net_deflev, 0,
 3705                        CTL_NET, PF_INET, IPPROTO_AH,
 3706                        IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
 3707 #if 0 /* obsolete, do not reuse */
 3708         sysctl_createv(clog, 0, NULL, NULL,
 3709                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3710                        CTLTYPE_INT, "inbound_call_ike", NULL,
 3711                        NULL, 0, &ip4_inbound_call_ike, 0,
 3712                        CTL_NET, PF_INET, IPPROTO_AH,
 3713                        IPSECCTL_INBOUND_CALL_IKE, CTL_EOL);
 3714 #endif
 3715         sysctl_createv(clog, 0, NULL, NULL,
 3716                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3717                        CTLTYPE_INT, "ah_cleartos",
 3718                        SYSCTL_DESCR("Clear IP TOS field before calculating AH"),
 3719                        NULL, 0, &ip4_ah_cleartos, 0,
 3720                        CTL_NET, PF_INET, IPPROTO_AH,
 3721                        IPSECCTL_AH_CLEARTOS, CTL_EOL);
 3722         sysctl_createv(clog, 0, NULL, NULL,
 3723                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3724                        CTLTYPE_INT, "ah_offsetmask",
 3725                        SYSCTL_DESCR("Mask for IP fragment offset field when "
 3726                                     "calculating AH"),
 3727                        NULL, 0, &ip4_ah_offsetmask, 0,
 3728                        CTL_NET, PF_INET, IPPROTO_AH,
 3729                        IPSECCTL_AH_OFFSETMASK, CTL_EOL);
 3730         sysctl_createv(clog, 0, NULL, NULL,
 3731                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3732                        CTLTYPE_INT, "dfbit",
 3733                        SYSCTL_DESCR("IP header DF bit setting for tunneled "
 3734                                     "traffic"),
 3735                        NULL, 0, &ip4_ipsec_dfbit, 0,
 3736                        CTL_NET, PF_INET, IPPROTO_AH,
 3737                        IPSECCTL_DFBIT, CTL_EOL);
 3738         sysctl_createv(clog, 0, NULL, NULL,
 3739                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3740                        CTLTYPE_INT, "ecn",
 3741                        SYSCTL_DESCR("Behavior of ECN for tunneled traffic"),
 3742                        NULL, 0, &ip4_ipsec_ecn, 0,
 3743                        CTL_NET, PF_INET, IPPROTO_AH,
 3744                        IPSECCTL_ECN, CTL_EOL);
 3745         sysctl_createv(clog, 0, NULL, NULL,
 3746                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3747                        CTLTYPE_INT, "debug",
 3748                        SYSCTL_DESCR("Enable IPSec debugging output"),
 3749                        NULL, 0, &ipsec_debug, 0,
 3750                        CTL_NET, PF_INET, IPPROTO_AH,
 3751                        IPSECCTL_DEBUG, CTL_EOL);
 3752 
 3753         /*
 3754          * "aliases" for the ipsec subtree
 3755          */
 3756         sysctl_createv(clog, 0, NULL, NULL,
 3757                        CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
 3758                        CTLTYPE_NODE, "esp", NULL,
 3759                        NULL, IPPROTO_AH, NULL, 0,
 3760                        CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL);
 3761         sysctl_createv(clog, 0, NULL, NULL,
 3762                        CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
 3763                        CTLTYPE_NODE, "ipcomp", NULL,
 3764                        NULL, IPPROTO_AH, NULL, 0,
 3765                        CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL);
 3766         sysctl_createv(clog, 0, NULL, NULL,
 3767                        CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
 3768                        CTLTYPE_NODE, "ah", NULL,
 3769                        NULL, IPPROTO_AH, NULL, 0,
 3770                        CTL_NET, PF_INET, CTL_CREATE, CTL_EOL);
 3771 }
 3772 
 3773 #ifdef INET6
 3774 /*
 3775  * System control for IPSEC6
 3776  */
 3777 u_char  ipsec6ctlermap[PRC_NCMDS] = {
 3778         0,              0,              0,              0,
 3779         0,              EMSGSIZE,       EHOSTDOWN,      EHOSTUNREACH,
 3780         EHOSTUNREACH,   EHOSTUNREACH,   ECONNREFUSED,   ECONNREFUSED,
 3781         EMSGSIZE,       EHOSTUNREACH,   0,              0,
 3782         0,              0,              0,              0,
 3783         ENOPROTOOPT
 3784 };
 3785 
 3786 SYSCTL_SETUP(sysctl_net_inet6_ipsec6_setup,
 3787              "sysctl net.inet6.ipsec6 subtree setup")
 3788 {
 3789 
 3790         sysctl_createv(clog, 0, NULL, NULL,
 3791                        CTLFLAG_PERMANENT,
 3792                        CTLTYPE_NODE, "net", NULL,
 3793                        NULL, 0, NULL, 0,
 3794                        CTL_NET, CTL_EOL);
 3795         sysctl_createv(clog, 0, NULL, NULL,
 3796                        CTLFLAG_PERMANENT,
 3797                        CTLTYPE_NODE, "inet6", NULL,
 3798                        NULL, 0, NULL, 0,
 3799                        CTL_NET, PF_INET6, CTL_EOL);
 3800         sysctl_createv(clog, 0, NULL, NULL,
 3801                        CTLFLAG_PERMANENT,
 3802                        CTLTYPE_NODE, "ipsec6",
 3803                        SYSCTL_DESCR("IPv6 related IPSec settings"),
 3804                        NULL, 0, NULL, 0,
 3805                        CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL);
 3806 
 3807         sysctl_createv(clog, 0, NULL, NULL,
 3808                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3809                        CTLTYPE_STRUCT, "stats",
 3810                        SYSCTL_DESCR("IPSec statistics and counters"),
 3811                        NULL, 0, &ipsec6stat, sizeof(ipsec6stat),
 3812                        CTL_NET, PF_INET6, IPPROTO_AH,
 3813                        IPSECCTL_STATS, CTL_EOL);
 3814         sysctl_createv(clog, 0, NULL, NULL,
 3815                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3816                        CTLTYPE_INT, "def_policy",
 3817                        SYSCTL_DESCR("Default action for non-IPSec packets"),
 3818                        sysctl_ipsec, 0, &ip6_def_policy, 0,
 3819                        CTL_NET, PF_INET6, IPPROTO_AH,
 3820                        IPSECCTL_DEF_POLICY, CTL_EOL);
 3821         sysctl_createv(clog, 0, NULL, NULL,
 3822                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3823                        CTLTYPE_INT, "esp_trans_deflev",
 3824                        SYSCTL_DESCR("Default required security level for "
 3825                                     "transport mode traffic"),
 3826                        sysctl_ipsec, 0, &ip6_esp_trans_deflev, 0,
 3827                        CTL_NET, PF_INET6, IPPROTO_AH,
 3828                        IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
 3829         sysctl_createv(clog, 0, NULL, NULL,
 3830                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3831                        CTLTYPE_INT, "esp_net_deflev",
 3832                        SYSCTL_DESCR("Default required security level for "
 3833                                     "tunneled traffic"),
 3834                        sysctl_ipsec, 0, &ip6_esp_net_deflev, 0,
 3835                        CTL_NET, PF_INET6, IPPROTO_AH,
 3836                        IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
 3837         sysctl_createv(clog, 0, NULL, NULL,
 3838                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3839                        CTLTYPE_INT, "ah_trans_deflev",
 3840                        SYSCTL_DESCR("Default required security level for "
 3841                                     "transport mode headers"),
 3842                        sysctl_ipsec, 0, &ip6_ah_trans_deflev, 0,
 3843                        CTL_NET, PF_INET6, IPPROTO_AH,
 3844                        IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
 3845         sysctl_createv(clog, 0, NULL, NULL,
 3846                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3847                        CTLTYPE_INT, "ah_net_deflev",
 3848                        SYSCTL_DESCR("Default required security level for "
 3849                                     "tunneled headers"),
 3850                        sysctl_ipsec, 0, &ip6_ah_net_deflev, 0,
 3851                        CTL_NET, PF_INET6, IPPROTO_AH,
 3852                        IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
 3853         sysctl_createv(clog, 0, NULL, NULL,
 3854                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3855                        CTLTYPE_INT, "ecn",
 3856                        SYSCTL_DESCR("Behavior of ECN for tunneled traffic"),
 3857                        NULL, 0, &ip6_ipsec_ecn, 0,
 3858                        CTL_NET, PF_INET6, IPPROTO_AH,
 3859                        IPSECCTL_ECN, CTL_EOL);
 3860         sysctl_createv(clog, 0, NULL, NULL,
 3861                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3862                        CTLTYPE_INT, "debug",
 3863                        SYSCTL_DESCR("Enable IPSec debugging output"),
 3864                        NULL, 0, &ipsec_debug, 0,
 3865                        CTL_NET, PF_INET6, IPPROTO_AH,
 3866                        IPSECCTL_DEBUG, CTL_EOL);
 3867 
 3868         /*
 3869          * "aliases" for the ipsec6 subtree
 3870          */
 3871         sysctl_createv(clog, 0, NULL, NULL,
 3872                        CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
 3873                        CTLTYPE_NODE, "esp6", NULL,
 3874                        NULL, IPPROTO_AH, NULL, 0,
 3875                        CTL_NET, PF_INET6, IPPROTO_ESP, CTL_EOL);
 3876         sysctl_createv(clog, 0, NULL, NULL,
 3877                        CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
 3878                        CTLTYPE_NODE, "ipcomp6", NULL,
 3879                        NULL, IPPROTO_AH, NULL, 0,
 3880                        CTL_NET, PF_INET6, IPPROTO_IPCOMP, CTL_EOL);
 3881         sysctl_createv(clog, 0, NULL, NULL,
 3882                        CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
 3883                        CTLTYPE_NODE, "ah6", NULL,
 3884                        NULL, IPPROTO_AH, NULL, 0,
 3885                        CTL_NET, PF_INET6, CTL_CREATE, CTL_EOL);
 3886 }
 3887 #endif /* INET6 */

Cache object: 10a4b887ed54d18dda49c1d679018d32


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.