The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/netinet6/ipsec.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*      $NetBSD: ipsec.c,v 1.110.2.3 2007/07/26 12:26:40 liamjfoy Exp $ */
    2 /*      $KAME: ipsec.c,v 1.136 2002/05/19 00:36:39 itojun Exp $ */
    3 
    4 /*
    5  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
    6  * All rights reserved.
    7  *
    8  * Redistribution and use in source and binary forms, with or without
    9  * modification, are permitted provided that the following conditions
   10  * are met:
   11  * 1. Redistributions of source code must retain the above copyright
   12  *    notice, this list of conditions and the following disclaimer.
   13  * 2. Redistributions in binary form must reproduce the above copyright
   14  *    notice, this list of conditions and the following disclaimer in the
   15  *    documentation and/or other materials provided with the distribution.
   16  * 3. Neither the name of the project nor the names of its contributors
   17  *    may be used to endorse or promote products derived from this software
   18  *    without specific prior written permission.
   19  *
   20  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
   21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
   24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   30  * SUCH DAMAGE.
   31  */
   32 
   33 /*
   34  * IPsec controller part.
   35  */
   36 
   37 #include <sys/cdefs.h>
   38 __KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.110.2.3 2007/07/26 12:26:40 liamjfoy Exp $");
   39 
   40 #include "opt_inet.h"
   41 #include "opt_ipsec.h"
   42 
   43 #include <sys/param.h>
   44 #include <sys/systm.h>
   45 #include <sys/malloc.h>
   46 #include <sys/mbuf.h>
   47 #include <sys/domain.h>
   48 #include <sys/protosw.h>
   49 #include <sys/socket.h>
   50 #include <sys/socketvar.h>
   51 #include <sys/errno.h>
   52 #include <sys/time.h>
   53 #include <sys/kernel.h>
   54 #include <sys/syslog.h>
   55 #include <sys/sysctl.h>
   56 
   57 #include <net/if.h>
   58 #include <net/route.h>
   59 
   60 #include <netinet/in.h>
   61 #include <netinet/in_systm.h>
   62 #include <netinet/ip.h>
   63 #include <netinet/ip_var.h>
   64 #include <netinet/in_var.h>
   65 #include <netinet/udp.h>
   66 #include <netinet/udp_var.h>
   67 #include <netinet/ip_ecn.h>
   68 #include <netinet/tcp.h>
   69 
   70 #include <netinet/ip6.h>
   71 #ifdef INET6
   72 #include <netinet6/ip6_var.h>
   73 #endif
   74 #include <netinet/in_pcb.h>
   75 #ifdef INET6
   76 #include <netinet6/in6_pcb.h>
   77 #include <netinet/icmp6.h>
   78 #include <netinet6/scope6_var.h>
   79 #endif
   80 
   81 #include <netinet6/ipsec.h>
   82 #include <netinet6/ah.h>
   83 #ifdef IPSEC_ESP
   84 #include <netinet6/esp.h>
   85 #endif
   86 #include <netinet6/ipcomp.h>
   87 #include <netkey/key.h>
   88 #include <netkey/keydb.h>
   89 #include <netkey/key_debug.h>
   90 
   91 #include <net/net_osdep.h>
   92 
   93 #ifdef IPSEC_DEBUG
   94 int ipsec_debug = 1;
   95 #else
   96 int ipsec_debug = 0;
   97 #endif
   98 
   99 struct ipsecstat ipsecstat;
  100 int ip4_ah_cleartos = 1;
  101 int ip4_ah_offsetmask = 0;      /* maybe IP_DF? */
  102 int ip4_ipsec_dfbit = 2;        /* DF bit on encap. 0: clear 1: set 2: copy */
  103 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
  104 int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
  105 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
  106 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
  107 struct secpolicy *ip4_def_policy;
  108 int ip4_ipsec_ecn = 0;          /* ECN ignore(-1)/forbidden(0)/allowed(1) */
  109 
  110 #ifdef INET6
  111 struct ipsecstat ipsec6stat;
  112 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
  113 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
  114 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
  115 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
  116 struct secpolicy *ip6_def_policy;
  117 int ip6_ipsec_ecn = 0;          /* ECN ignore(-1)/forbidden(0)/allowed(1) */
  118 
  119 #endif /* INET6 */
  120 
  121 u_int ipsec_spdgen = 1;         /* SPD generation # */
  122 
  123 #ifdef SADB_X_EXT_TAG
  124 static struct pf_tag *ipsec_get_tag __P((struct mbuf *));
  125 #endif
  126 static struct secpolicy *ipsec_checkpcbcache __P((struct mbuf *,
  127         struct inpcbpolicy *, int));
  128 static int ipsec_fillpcbcache __P((struct inpcbpolicy *, struct mbuf *,
  129         struct secpolicy *, int));
  130 static int ipsec_invalpcbcache __P((struct inpcbpolicy *, int));
  131 static int ipsec_setspidx_mbuf
  132         __P((struct secpolicyindex *, int, struct mbuf *, int));
  133 static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int));
  134 static void ipsec4_get_ulp __P((struct mbuf *, struct secpolicyindex *, int));
  135 static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
  136 #ifdef INET6
  137 static void ipsec6_get_ulp __P((struct mbuf *, struct secpolicyindex *, int));
  138 static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
  139 #endif
  140 static struct inpcbpolicy *ipsec_newpcbpolicy __P((void));
  141 static void ipsec_delpcbpolicy __P((struct inpcbpolicy *));
  142 #if 0
  143 static int ipsec_deepcopy_pcbpolicy __P((struct inpcbpolicy *));
  144 #endif
  145 static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *));
  146 static int ipsec_set_policy
  147         __P((struct secpolicy **, int, caddr_t, size_t, int));
  148 static int ipsec_get_policy __P((struct secpolicy *, struct mbuf **));
  149 static void vshiftl __P((unsigned char *, int, int));
  150 static int ipsec_in_reject __P((struct secpolicy *, struct mbuf *));
  151 static size_t ipsec_hdrsiz __P((struct secpolicy *));
  152 #ifdef INET
  153 static struct mbuf *ipsec4_splithdr __P((struct mbuf *));
  154 #endif
  155 #ifdef INET6
  156 static struct mbuf *ipsec6_splithdr __P((struct mbuf *));
  157 #endif
  158 #ifdef INET
  159 static int ipsec4_encapsulate __P((struct mbuf *, struct secasvar *));
  160 #endif
  161 #ifdef INET6
  162 static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *));
  163 #endif
  164 static struct m_tag *ipsec_addaux __P((struct mbuf *));
  165 static struct m_tag *ipsec_findaux __P((struct mbuf *));
  166 static void ipsec_optaux __P((struct mbuf *, struct m_tag *));
  167 #ifdef INET
  168 static int ipsec4_checksa __P((struct ipsecrequest *,
  169         struct ipsec_output_state *));
  170 #endif
  171 #ifdef INET6
  172 static int ipsec6_checksa __P((struct ipsecrequest *,
  173         struct ipsec_output_state *, int));
  174 #endif
  175 
  176 /*
  177  * try to validate and use cached policy on a pcb.
  178  */
  179 static struct secpolicy *
  180 ipsec_checkpcbcache(m, pcbsp, dir)
  181         struct mbuf *m;
  182         struct inpcbpolicy *pcbsp;
  183         int dir;
  184 {
  185         struct secpolicyindex spidx;
  186         struct bintime bt;
  187 
  188         switch (dir) {
  189         case IPSEC_DIR_INBOUND:
  190         case IPSEC_DIR_OUTBOUND:
  191         case IPSEC_DIR_ANY:
  192                 break;
  193         default:
  194                 return NULL;
  195         }
  196 #ifdef DIAGNOSTIC
  197         if (dir >= sizeof(pcbsp->sp_cache)/sizeof(pcbsp->sp_cache[0]))
  198                 panic("dir too big in ipsec_checkpcbcache");
  199 #endif
  200         /* SPD table change invalidates all the caches */
  201         if (ipsec_spdgen != pcbsp->sp_cache[dir].cachegen) {
  202                 ipsec_invalpcbcache(pcbsp, dir);
  203                 return NULL;
  204         }
  205         if (!pcbsp->sp_cache[dir].cachesp)
  206                 return NULL;
  207         if (pcbsp->sp_cache[dir].cachesp->state != IPSEC_SPSTATE_ALIVE) {
  208                 ipsec_invalpcbcache(pcbsp, dir);
  209                 return NULL;
  210         }
  211         if ((pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) == 0) {
  212                 if (!pcbsp->sp_cache[dir].cachesp)
  213                         return NULL;
  214                 if (ipsec_setspidx(m, &spidx, 1) != 0)
  215                         return NULL;
  216 
  217                 /*
  218          * We have to make an exact match here since the cached rule
  219          * might have lower priority than a rule that would otherwise
  220          * have matched the packet. 
  221          */
  222 
  223                 if (bcmp(&pcbsp->sp_cache[dir].cacheidx, &spidx, sizeof(spidx))) 
  224                         return NULL;
  225                 
  226         } else {
  227                 /*
  228                  * The pcb is connected, and the L4 code is sure that:
  229                  * - outgoing side uses inp_[lf]addr
  230                  * - incoming side looks up policy after inpcb lookup
  231                  * and address pair is known to be stable.  We do not need
  232                  * to generate spidx again, nor check the address match again.
  233                  *
  234                  * For IPv4/v6 SOCK_STREAM sockets, this assumption holds
  235                  * and there are calls to ipsec_pcbconn() from in_pcbconnect().
  236                  */
  237         }
  238 
  239         getbinuptime(&bt);
  240         pcbsp->sp_cache[dir].cachesp->lastused = bt.sec;
  241         pcbsp->sp_cache[dir].cachesp->refcnt++;
  242         KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  243                 printf("DP ipsec_checkpcbcache cause refcnt++:%d SP:%p\n",
  244                 pcbsp->sp_cache[dir].cachesp->refcnt,
  245                 pcbsp->sp_cache[dir].cachesp));
  246         return pcbsp->sp_cache[dir].cachesp;
  247 }
  248 
  249 static int
  250 ipsec_fillpcbcache(pcbsp, m, sp, dir)
  251         struct inpcbpolicy *pcbsp;
  252         struct mbuf *m;
  253         struct secpolicy *sp;
  254         int dir;
  255 {
  256 
  257         switch (dir) {
  258         case IPSEC_DIR_INBOUND:
  259         case IPSEC_DIR_OUTBOUND:
  260                 break;
  261         default:
  262                 return EINVAL;
  263         }
  264 #ifdef DIAGNOSTIC
  265         if (dir >= sizeof(pcbsp->sp_cache)/sizeof(pcbsp->sp_cache[0]))
  266                 panic("dir too big in ipsec_checkpcbcache");
  267 #endif
  268 
  269         if (pcbsp->sp_cache[dir].cachesp)
  270                 key_freesp(pcbsp->sp_cache[dir].cachesp);
  271         pcbsp->sp_cache[dir].cachesp = NULL;
  272         pcbsp->sp_cache[dir].cachehint = IPSEC_PCBHINT_MAYBE;
  273         if (ipsec_setspidx(m, &pcbsp->sp_cache[dir].cacheidx, 1) != 0) {
  274                 return EINVAL;
  275         }
  276         pcbsp->sp_cache[dir].cachesp = sp;
  277         if (pcbsp->sp_cache[dir].cachesp) {
  278                 pcbsp->sp_cache[dir].cachesp->refcnt++;
  279                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  280                         printf("DP ipsec_fillpcbcache cause refcnt++:%d SP:%p\n",
  281                         pcbsp->sp_cache[dir].cachesp->refcnt,
  282                         pcbsp->sp_cache[dir].cachesp));
  283 
  284                 /*
  285                  * If the PCB is connected, we can remember a hint to
  286                  * possibly short-circuit IPsec processing in other places.
  287                  */
  288                 if (pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) {
  289                         switch (pcbsp->sp_cache[dir].cachesp->policy) {
  290                         case IPSEC_POLICY_NONE:
  291                         case IPSEC_POLICY_BYPASS:
  292                                 pcbsp->sp_cache[dir].cachehint =
  293                                     IPSEC_PCBHINT_NO;
  294                                 break;
  295                         default:
  296                                 pcbsp->sp_cache[dir].cachehint =
  297                                     IPSEC_PCBHINT_YES;
  298                         }
  299                 }
  300         }
  301         pcbsp->sp_cache[dir].cachegen = ipsec_spdgen;
  302 
  303         return 0;
  304 }
  305 
  306 static int
  307 ipsec_invalpcbcache(pcbsp, dir)
  308         struct inpcbpolicy *pcbsp;
  309         int dir;
  310 {
  311         int i;
  312 
  313         for (i = IPSEC_DIR_INBOUND; i <= IPSEC_DIR_OUTBOUND; i++) {
  314                 if (dir != IPSEC_DIR_ANY && i != dir)
  315                         continue;
  316                 if (pcbsp->sp_cache[i].cachesp)
  317                         key_freesp(pcbsp->sp_cache[i].cachesp);
  318                 pcbsp->sp_cache[i].cachesp = NULL;
  319                 pcbsp->sp_cache[i].cachehint = IPSEC_PCBHINT_MAYBE;
  320                 pcbsp->sp_cache[i].cachegen = 0;
  321                 bzero(&pcbsp->sp_cache[i].cacheidx,
  322                       sizeof(pcbsp->sp_cache[i].cacheidx));
  323         }
  324         return 0;
  325 }
  326 
  327 int
  328 ipsec_pcbconn(pcbsp)
  329         struct inpcbpolicy *pcbsp;
  330 {
  331 
  332         pcbsp->sp_cacheflags |= IPSEC_PCBSP_CONNECTED;
  333         ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
  334         return 0;
  335 }
  336 
  337 int
  338 ipsec_pcbdisconn(pcbsp)
  339         struct inpcbpolicy *pcbsp;
  340 {
  341 
  342         pcbsp->sp_cacheflags &= ~IPSEC_PCBSP_CONNECTED;
  343         ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
  344         return 0;
  345 }
  346 
  347 void
  348 ipsec_invalpcbcacheall()
  349 {
  350 
  351         if (ipsec_spdgen == UINT_MAX)
  352                 ipsec_spdgen = 1;
  353         else
  354                 ipsec_spdgen++;
  355 }
  356 
  357 #ifdef SADB_X_EXT_TAG
  358 static struct pf_tag *
  359 ipsec_get_tag(m)
  360         struct mbuf *m;
  361 {
  362         struct m_tag    *mtag;
  363 
  364         if ((mtag = m_tag_find(m, PACKET_TAG_PF_TAG, NULL)) != NULL)
  365                 return ((struct pf_tag *)(mtag + 1));
  366         else
  367                 return (NULL);
  368 }
  369 #endif
  370 
  371 /*
  372  * For OUTBOUND packet having a socket. Searching SPD for packet,
  373  * and return a pointer to SP.
  374  * OUT: NULL:   no apropreate SP found, the following value is set to error.
  375  *              0       : bypass
  376  *              EACCES  : discard packet.
  377  *              ENOENT  : ipsec_acquire() in progress, maybe.
  378  *              others  : error occurred.
  379  *      others: a pointer to SP
  380  *
  381  * NOTE: IPv6 mapped address concern is implemented here.
  382  */
  383 struct secpolicy *
  384 ipsec4_getpolicybysock(m, dir, so, error)
  385         struct mbuf *m;
  386         u_int dir;
  387         struct socket *so;
  388         int *error;
  389 {
  390         struct inpcbpolicy *pcbsp = NULL;
  391         struct secpolicy *currsp = NULL;        /* policy on socket */
  392         struct secpolicy *kernsp = NULL;        /* policy on kernel */
  393         struct secpolicyindex spidx;
  394 #ifdef SADB_X_EXT_TAG
  395         struct pf_tag *t;
  396 #endif
  397         u_int16_t tag;
  398 
  399         /* sanity check */
  400         if (m == NULL || so == NULL || error == NULL)
  401                 panic("ipsec4_getpolicybysock: NULL pointer was passed.");
  402 
  403         switch (so->so_proto->pr_domain->dom_family) {
  404         case AF_INET:
  405                 pcbsp = sotoinpcb(so)->inp_sp;
  406                 break;
  407 #ifdef INET6
  408         case AF_INET6:
  409                 pcbsp = sotoin6pcb(so)->in6p_sp;
  410                 break;
  411 #endif
  412         default:
  413                 panic("ipsec4_getpolicybysock: unsupported address family");
  414         }
  415 
  416 #ifdef DIAGNOSTIC
  417         if (pcbsp == NULL)
  418                 panic("ipsec4_getpolicybysock: pcbsp is NULL.");
  419 #endif
  420 
  421 #ifdef SADB_X_EXT_TAG
  422         t = ipsec_get_tag(m);
  423         tag = t ? t->tag : 0;
  424 #else
  425         tag = 0;
  426 #endif
  427 
  428         /* if we have a cached entry, and if it is still valid, use it. */
  429         ipsecstat.spdcachelookup++;
  430         currsp = ipsec_checkpcbcache(m, pcbsp, dir);
  431         if (currsp) {
  432                 *error = 0;
  433                 return currsp;
  434         }
  435         ipsecstat.spdcachemiss++;
  436 
  437         switch (dir) {
  438         case IPSEC_DIR_INBOUND:
  439                 currsp = pcbsp->sp_in;
  440                 break;
  441         case IPSEC_DIR_OUTBOUND:
  442                 currsp = pcbsp->sp_out;
  443                 break;
  444         default:
  445                 panic("ipsec4_getpolicybysock: illegal direction.");
  446         }
  447 
  448         /* sanity check */
  449         if (currsp == NULL)
  450                 panic("ipsec4_getpolicybysock: currsp is NULL.");
  451 
  452         /* when privileged socket */
  453         if (pcbsp->priv) {
  454                 switch (currsp->policy) {
  455                 case IPSEC_POLICY_BYPASS:
  456                         currsp->refcnt++;
  457                         *error = 0;
  458                         ipsec_fillpcbcache(pcbsp, m, currsp, dir);
  459                         return currsp;
  460 
  461                 case IPSEC_POLICY_ENTRUST:
  462                         /* look for a policy in SPD */
  463                         if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
  464                             (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
  465                                 /* SP found */
  466                                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  467                                         printf("DP ipsec4_getpolicybysock called "
  468                                                "to allocate SP:%p\n", kernsp));
  469                                 *error = 0;
  470                                 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
  471                                 return kernsp;
  472                         }
  473 
  474                         /* no SP found */
  475                         ip4_def_policy->refcnt++;
  476                         *error = 0;
  477                         ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir);
  478                         return ip4_def_policy;
  479 
  480                 case IPSEC_POLICY_IPSEC:
  481                         currsp->refcnt++;
  482                         *error = 0;
  483                         ipsec_fillpcbcache(pcbsp, m, currsp, dir);
  484                         return currsp;
  485 
  486                 default:
  487                         ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
  488                               "Invalid policy for PCB %d\n", currsp->policy));
  489                         *error = EINVAL;
  490                         return NULL;
  491                 }
  492                 /* NOTREACHED */
  493         }
  494 
  495         /* when non-privileged socket */
  496         /* look for a policy in SPD */
  497         if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
  498             (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
  499                 /* SP found */
  500                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  501                         printf("DP ipsec4_getpolicybysock called "
  502                                "to allocate SP:%p\n", kernsp));
  503                 *error = 0;
  504                 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
  505                 return kernsp;
  506         }
  507 
  508         /* no SP found */
  509         switch (currsp->policy) {
  510         case IPSEC_POLICY_BYPASS:
  511                 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
  512                        "Illegal policy for non-privileged defined %d\n",
  513                         currsp->policy));
  514                 *error = EINVAL;
  515                 return NULL;
  516 
  517         case IPSEC_POLICY_ENTRUST:
  518                 ip4_def_policy->refcnt++;
  519                 *error = 0;
  520                 ipsec_fillpcbcache(pcbsp, m, ip4_def_policy, dir);
  521                 return ip4_def_policy;
  522 
  523         case IPSEC_POLICY_IPSEC:
  524                 currsp->refcnt++;
  525                 *error = 0;
  526                 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
  527                 return currsp;
  528 
  529         default:
  530                 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
  531                    "Invalid policy for PCB %d\n", currsp->policy));
  532                 *error = EINVAL;
  533                 return NULL;
  534         }
  535         /* NOTREACHED */
  536 }
  537 
  538 /*
  539  * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
  540  * and return a pointer to SP.
  541  * OUT: positive: a pointer to the entry for security policy leaf matched.
  542  *      NULL:   no apropreate SP found, the following value is set to error.
  543  *              0       : bypass
  544  *              EACCES  : discard packet.
  545  *              ENOENT  : ipsec_acquire() in progress, maybe.
  546  *              others  : error occurred.
  547  */
  548 struct secpolicy *
  549 ipsec4_getpolicybyaddr(m, dir, flag, error)
  550         struct mbuf *m;
  551         u_int dir;
  552         int flag;
  553         int *error;
  554 {
  555         struct secpolicy *sp = NULL;
  556 #ifdef SADB_X_EXT_TAG
  557         struct pf_tag *t;
  558 #endif
  559         u_int16_t tag;
  560 
  561         /* sanity check */
  562         if (m == NULL || error == NULL)
  563                 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.");
  564 
  565         /* get a policy entry matched with the packet */
  566     {
  567         struct secpolicyindex spidx;
  568 
  569         bzero(&spidx, sizeof(spidx));
  570 
  571         /* make an index to look for a policy */
  572         *error = ipsec_setspidx_mbuf(&spidx, AF_INET, m,
  573             (flag & IP_FORWARDING) ? 0 : 1);
  574 
  575         if (*error != 0)
  576                 return NULL;
  577 
  578 #ifdef SADB_X_EXT_TAG
  579         t = ipsec_get_tag(m);
  580         tag = t ? t->tag : 0;
  581 #else
  582         tag = 0;
  583 #endif
  584 
  585         sp = key_allocsp(tag, &spidx, dir);
  586     }
  587 
  588         /* SP found */
  589         if (sp != NULL) {
  590                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  591                         printf("DP ipsec4_getpolicybyaddr called "
  592                                "to allocate SP:%p\n", sp));
  593                 *error = 0;
  594                 return sp;
  595         }
  596 
  597         /* no SP found */
  598         ip4_def_policy->refcnt++;
  599         *error = 0;
  600         return ip4_def_policy;
  601 }
  602 
  603 #ifdef INET6
  604 /*
  605  * For OUTBOUND packet having a socket. Searching SPD for packet,
  606  * and return a pointer to SP.
  607  * OUT: NULL:   no apropreate SP found, the following value is set to error.
  608  *              0       : bypass
  609  *              EACCES  : discard packet.
  610  *              ENOENT  : ipsec_acquire() in progress, maybe.
  611  *              others  : error occurred.
  612  *      others: a pointer to SP
  613  */
  614 struct secpolicy *
  615 ipsec6_getpolicybysock(m, dir, so, error)
  616         struct mbuf *m;
  617         u_int dir;
  618         struct socket *so;
  619         int *error;
  620 {
  621         struct inpcbpolicy *pcbsp = NULL;
  622         struct secpolicy *currsp = NULL;        /* policy on socket */
  623         struct secpolicy *kernsp = NULL;        /* policy on kernel */
  624         struct secpolicyindex spidx;
  625 #ifdef SADB_X_EXT_TAG
  626         struct pf_tag *t;
  627 #endif
  628         u_int16_t tag;
  629 
  630         /* sanity check */
  631         if (m == NULL || so == NULL || error == NULL)
  632                 panic("ipsec6_getpolicybysock: NULL pointer was passed.");
  633 
  634 #ifdef DIAGNOSTIC
  635         if (so->so_proto->pr_domain->dom_family != AF_INET6)
  636                 panic("ipsec6_getpolicybysock: socket domain != inet6");
  637 #endif
  638 
  639         pcbsp = sotoin6pcb(so)->in6p_sp;
  640 
  641 #ifdef DIAGNOSTIC
  642         if (pcbsp == NULL)
  643                 panic("ipsec6_getpolicybysock: pcbsp is NULL.");
  644 #endif
  645 
  646 #ifdef SADB_X_EXT_TAG
  647         t = ipsec_get_tag(m);
  648         tag = t ? t->tag : 0;
  649 #else
  650         tag = 0;
  651 #endif
  652 
  653         /* if we have a cached entry, and if it is still valid, use it. */
  654         ipsec6stat.spdcachelookup++;
  655         currsp = ipsec_checkpcbcache(m, pcbsp, dir);
  656         if (currsp) {
  657                 *error = 0;
  658                 return currsp;
  659         }
  660         ipsec6stat.spdcachemiss++;
  661 
  662         switch (dir) {
  663         case IPSEC_DIR_INBOUND:
  664                 currsp = pcbsp->sp_in;
  665                 break;
  666         case IPSEC_DIR_OUTBOUND:
  667                 currsp = pcbsp->sp_out;
  668                 break;
  669         default:
  670                 panic("ipsec6_getpolicybysock: illegal direction.");
  671         }
  672 
  673         /* sanity check */
  674         if (currsp == NULL)
  675                 panic("ipsec6_getpolicybysock: currsp is NULL.");
  676 
  677         /* when privileged socket */
  678         if (pcbsp->priv) {
  679                 switch (currsp->policy) {
  680                 case IPSEC_POLICY_BYPASS:
  681                         currsp->refcnt++;
  682                         *error = 0;
  683                         ipsec_fillpcbcache(pcbsp, m, currsp, dir);
  684                         return currsp;
  685 
  686                 case IPSEC_POLICY_ENTRUST:
  687                         /* look for a policy in SPD */
  688                         if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
  689                             (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
  690                                 /* SP found */
  691                                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  692                                         printf("DP ipsec6_getpolicybysock called "
  693                                                "to allocate SP:%p\n", kernsp));
  694                                 *error = 0;
  695                                 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
  696                                 return kernsp;
  697                         }
  698 
  699                         /* no SP found */
  700                         ip6_def_policy->refcnt++;
  701                         *error = 0;
  702                         ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir);
  703                         return ip6_def_policy;
  704 
  705                 case IPSEC_POLICY_IPSEC:
  706                         currsp->refcnt++;
  707                         *error = 0;
  708                         ipsec_fillpcbcache(pcbsp, m, currsp, dir);
  709                         return currsp;
  710 
  711                 default:
  712                         ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
  713                             "Invalid policy for PCB %d\n", currsp->policy));
  714                         *error = EINVAL;
  715                         return NULL;
  716                 }
  717                 /* NOTREACHED */
  718         }
  719 
  720         /* when non-privileged socket */
  721         /* look for a policy in SPD */
  722         if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
  723             (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
  724                 /* SP found */
  725                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  726                         printf("DP ipsec6_getpolicybysock called "
  727                                "to allocate SP:%p\n", kernsp));
  728                 *error = 0;
  729                 ipsec_fillpcbcache(pcbsp, m, kernsp, dir);
  730                 return kernsp;
  731         }
  732 
  733         /* no SP found */
  734         switch (currsp->policy) {
  735         case IPSEC_POLICY_BYPASS:
  736                 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
  737                     "Illegal policy for non-privileged defined %d\n",
  738                     currsp->policy));
  739                 *error = EINVAL;
  740                 return NULL;
  741 
  742         case IPSEC_POLICY_ENTRUST:
  743                 ip6_def_policy->refcnt++;
  744                 *error = 0;
  745                 ipsec_fillpcbcache(pcbsp, m, ip6_def_policy, dir);
  746                 return ip6_def_policy;
  747 
  748         case IPSEC_POLICY_IPSEC:
  749                 currsp->refcnt++;
  750                 *error = 0;
  751                 ipsec_fillpcbcache(pcbsp, m, currsp, dir);
  752                 return currsp;
  753 
  754         default:
  755                 ipseclog((LOG_ERR,
  756                     "ipsec6_policybysock: Invalid policy for PCB %d\n",
  757                     currsp->policy));
  758                 *error = EINVAL;
  759                 return NULL;
  760         }
  761         /* NOTREACHED */
  762 }
  763 
  764 /*
  765  * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
  766  * and return a pointer to SP.
  767  * `flag' means that packet is to be forwarded whether or not.
  768  *      flag = 1: forwad
  769  * OUT: positive: a pointer to the entry for security policy leaf matched.
  770  *      NULL:   no apropreate SP found, the following value is set to error.
  771  *              0       : bypass
  772  *              EACCES  : discard packet.
  773  *              ENOENT  : ipsec_acquire() in progress, maybe.
  774  *              others  : error occurred.
  775  */
  776 #ifndef IP_FORWARDING
  777 #define IP_FORWARDING 1
  778 #endif
  779 
  780 struct secpolicy *
  781 ipsec6_getpolicybyaddr(m, dir, flag, error)
  782         struct mbuf *m;
  783         u_int dir;
  784         int flag;
  785         int *error;
  786 {
  787         struct secpolicy *sp = NULL;
  788 #ifdef SADB_X_EXT_TAG
  789         struct pf_tag *t;
  790 #endif
  791         u_int16_t tag;
  792 
  793         /* sanity check */
  794         if (m == NULL || error == NULL)
  795                 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.");
  796 
  797         /* get a policy entry matched with the packet */
  798     {
  799         struct secpolicyindex spidx;
  800 
  801         bzero(&spidx, sizeof(spidx));
  802 
  803         /* make an index to look for a policy */
  804         *error = ipsec_setspidx_mbuf(&spidx, AF_INET6, m,
  805             (flag & IP_FORWARDING) ? 0 : 1);
  806 
  807         if (*error != 0)
  808                 return NULL;
  809 
  810 #ifdef SADB_X_EXT_TAG
  811         t = ipsec_get_tag(m);
  812         tag = t ? t->tag : 0;
  813 #else
  814         tag = 0;
  815 #endif
  816 
  817         sp = key_allocsp(tag, &spidx, dir);
  818     }
  819 
  820         /* SP found */
  821         if (sp != NULL) {
  822                 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
  823                         printf("DP ipsec6_getpolicybyaddr called "
  824                                "to allocate SP:%p\n", sp));
  825                 *error = 0;
  826                 return sp;
  827         }
  828 
  829         /* no SP found */
  830         ip6_def_policy->refcnt++;
  831         *error = 0;
  832         return ip6_def_policy;
  833 }
  834 #endif /* INET6 */
  835 
  836 /*
  837  * set IP address into spidx from mbuf.
  838  * When Forwarding packet and ICMP echo reply, this function is used.
  839  *
  840  * IN:  get the followings from mbuf.
  841  *      protocol family, src, dst, next protocol
  842  * OUT:
  843  *      0:      success.
  844  *      other:  failure, and set errno.
  845  */
  846 int
  847 ipsec_setspidx_mbuf(struct secpolicyindex *spidx, int family,
  848     struct mbuf *m, int needport)
  849 {
  850         int error;
  851 
  852         /* sanity check */
  853         if (spidx == NULL || m == NULL)
  854                 panic("ipsec_setspidx_mbuf: NULL pointer was passed.");
  855 
  856         bzero(spidx, sizeof(*spidx));
  857 
  858         error = ipsec_setspidx(m, spidx, needport);
  859         if (error)
  860                 goto bad;
  861 
  862         return 0;
  863 
  864     bad:
  865         /* XXX initialize */
  866         bzero(spidx, sizeof(*spidx));
  867         return EINVAL;
  868 }
  869 
  870 /*
  871  * configure security policy index (src/dst/proto/sport/dport)
  872  * by looking at the content of mbuf.
  873  * the caller is responsible for error recovery (like clearing up spidx).
  874  */
  875 static int
  876 ipsec_setspidx(m, spidx, needport)
  877         struct mbuf *m;
  878         struct secpolicyindex *spidx;
  879         int needport;
  880 {
  881         struct ip *ip = NULL;
  882         struct ip ipbuf;
  883         u_int v;
  884         struct mbuf *n;
  885         int len;
  886         int error;
  887 
  888         if (m == NULL)
  889                 panic("ipsec_setspidx: m == 0 passed.");
  890 
  891         bzero(spidx, sizeof(*spidx));
  892 
  893         /*
  894          * validate m->m_pkthdr.len.  we see incorrect length if we
  895          * mistakenly call this function with inconsistent mbuf chain
  896          * (like 4.4BSD tcp/udp processing).  XXX should we panic here?
  897          */
  898         len = 0;
  899         for (n = m; n; n = n->m_next)
  900                 len += n->m_len;
  901         if (m->m_pkthdr.len != len) {
  902                 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
  903                         printf("ipsec_setspidx: "
  904                                "total of m_len(%d) != pkthdr.len(%d), "
  905                                "ignored.\n",
  906                                 len, m->m_pkthdr.len));
  907                 return EINVAL;
  908         }
  909 
  910         if (m->m_pkthdr.len < sizeof(struct ip)) {
  911                 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
  912                         printf("ipsec_setspidx: "
  913                             "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
  914                             m->m_pkthdr.len));
  915                 return EINVAL;
  916         }
  917 
  918         if (m->m_len >= sizeof(*ip))
  919                 ip = mtod(m, struct ip *);
  920         else {
  921                 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
  922                 ip = &ipbuf;
  923         }
  924         v = ip->ip_v;
  925         switch (v) {
  926         case 4:
  927                 error = ipsec4_setspidx_ipaddr(m, spidx);
  928                 if (error)
  929                         return error;
  930                 ipsec4_get_ulp(m, spidx, needport);
  931                 return 0;
  932 #ifdef INET6
  933         case 6:
  934                 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
  935                         KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
  936                                 printf("ipsec_setspidx: "
  937                                     "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
  938                                     "ignored.\n", m->m_pkthdr.len));
  939                         return EINVAL;
  940                 }
  941                 error = ipsec6_setspidx_ipaddr(m, spidx);
  942                 if (error)
  943                         return error;
  944                 ipsec6_get_ulp(m, spidx, needport);
  945                 return 0;
  946 #endif
  947         default:
  948                 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
  949                         printf("ipsec_setspidx: "
  950                             "unknown IP version %u, ignored.\n", v));
  951                 return EINVAL;
  952         }
  953 }
  954 
  955 static void
  956 ipsec4_get_ulp(m, spidx, needport)
  957         struct mbuf *m;
  958         struct secpolicyindex *spidx;
  959         int needport;
  960 {
  961         struct ip ip;
  962         struct ip6_ext ip6e;
  963         u_int8_t nxt;
  964         int off;
  965         struct tcphdr th;
  966         struct udphdr uh;
  967 
  968         /* sanity check */
  969         if (m == NULL)
  970                 panic("ipsec4_get_ulp: NULL pointer was passed.");
  971         if (m->m_pkthdr.len < sizeof(ip))
  972                 panic("ipsec4_get_ulp: too short");
  973 
  974         /* set default */
  975         spidx->ul_proto = IPSEC_ULPROTO_ANY;
  976         ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY;
  977         ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY;
  978 
  979         m_copydata(m, 0, sizeof(ip), (caddr_t)&ip);
  980         if (ip.ip_off & htons(IP_MF | IP_OFFMASK))
  981                 return;
  982 
  983         nxt = ip.ip_p;
  984         off = ip.ip_hl << 2;
  985         while (off < m->m_pkthdr.len) {
  986                 switch (nxt) {
  987                 case IPPROTO_TCP:
  988                         spidx->ul_proto = nxt;
  989                         if (!needport)
  990                                 return;
  991                         if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
  992                                 return;
  993                         m_copydata(m, off, sizeof(th), (caddr_t)&th);
  994                         ((struct sockaddr_in *)&spidx->src)->sin_port =
  995                             th.th_sport;
  996                         ((struct sockaddr_in *)&spidx->dst)->sin_port =
  997                             th.th_dport;
  998                         return;
  999                 case IPPROTO_UDP:
 1000                         spidx->ul_proto = nxt;
 1001                         if (!needport)
 1002                                 return;
 1003                         if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
 1004                                 return;
 1005                         m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
 1006                         ((struct sockaddr_in *)&spidx->src)->sin_port =
 1007                             uh.uh_sport;
 1008                         ((struct sockaddr_in *)&spidx->dst)->sin_port =
 1009                             uh.uh_dport;
 1010                         return;
 1011                 case IPPROTO_AH:
 1012                         if (off + sizeof(ip6e) > m->m_pkthdr.len)
 1013                                 return;
 1014                         m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
 1015                         off += (ip6e.ip6e_len + 2) << 2;
 1016                         nxt = ip6e.ip6e_nxt;
 1017                         break;
 1018                 case IPPROTO_ICMP:
 1019                 default:
 1020                         /* XXX intermediate headers??? */
 1021                         spidx->ul_proto = nxt;
 1022                         return;
 1023                 }
 1024         }
 1025 }
 1026 
 1027 /* assumes that m is sane */
 1028 static int
 1029 ipsec4_setspidx_ipaddr(m, spidx)
 1030         struct mbuf *m;
 1031         struct secpolicyindex *spidx;
 1032 {
 1033         struct ip *ip = NULL;
 1034         struct ip ipbuf;
 1035         struct sockaddr_in *sin;
 1036 
 1037         if (m->m_len >= sizeof(*ip))
 1038                 ip = mtod(m, struct ip *);
 1039         else {
 1040                 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
 1041                 ip = &ipbuf;
 1042         }
 1043 
 1044         sin = (struct sockaddr_in *)&spidx->src;
 1045         bzero(sin, sizeof(*sin));
 1046         sin->sin_family = AF_INET;
 1047         sin->sin_len = sizeof(struct sockaddr_in);
 1048         bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src));
 1049         spidx->prefs = sizeof(struct in_addr) << 3;
 1050 
 1051         sin = (struct sockaddr_in *)&spidx->dst;
 1052         bzero(sin, sizeof(*sin));
 1053         sin->sin_family = AF_INET;
 1054         sin->sin_len = sizeof(struct sockaddr_in);
 1055         bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst));
 1056         spidx->prefd = sizeof(struct in_addr) << 3;
 1057         return 0;
 1058 }
 1059 
 1060 #ifdef INET6
 1061 static void
 1062 ipsec6_get_ulp(m, spidx, needport)
 1063         struct mbuf *m;
 1064         struct secpolicyindex *spidx;
 1065         int needport;
 1066 {
 1067         int off, nxt;
 1068         struct tcphdr th;
 1069         struct udphdr uh;
 1070 
 1071         /* sanity check */
 1072         if (m == NULL)
 1073                 panic("ipsec6_get_ulp: NULL pointer was passed.");
 1074 
 1075         KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
 1076                 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m));
 1077 
 1078         /* set default */
 1079         spidx->ul_proto = IPSEC_ULPROTO_ANY;
 1080         ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
 1081         ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
 1082 
 1083         nxt = -1;
 1084         off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
 1085         if (off < 0 || m->m_pkthdr.len < off)
 1086                 return;
 1087 
 1088         switch (nxt) {
 1089         case IPPROTO_TCP:
 1090                 spidx->ul_proto = nxt;
 1091                 if (!needport)
 1092                         break;
 1093                 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
 1094                         break;
 1095                 m_copydata(m, off, sizeof(th), (caddr_t)&th);
 1096                 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
 1097                 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
 1098                 break;
 1099         case IPPROTO_UDP:
 1100                 spidx->ul_proto = nxt;
 1101                 if (!needport)
 1102                         break;
 1103                 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
 1104                         break;
 1105                 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
 1106                 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
 1107                 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
 1108                 break;
 1109         case IPPROTO_ICMPV6:
 1110         default:
 1111                 /* XXX intermediate headers??? */
 1112                 spidx->ul_proto = nxt;
 1113                 break;
 1114         }
 1115 }
 1116 
 1117 /* assumes that m is sane */
 1118 static int
 1119 ipsec6_setspidx_ipaddr(m, spidx)
 1120         struct mbuf *m;
 1121         struct secpolicyindex *spidx;
 1122 {
 1123         struct ip6_hdr *ip6 = NULL;
 1124         struct ip6_hdr ip6buf;
 1125         struct sockaddr_in6 *sin6;
 1126 
 1127         if (m->m_len >= sizeof(*ip6))
 1128                 ip6 = mtod(m, struct ip6_hdr *);
 1129         else {
 1130                 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
 1131                 ip6 = &ip6buf;
 1132         }
 1133 
 1134         sin6 = (struct sockaddr_in6 *)&spidx->src;
 1135         bzero(sin6, sizeof(*sin6));
 1136         sin6->sin6_family = AF_INET6;
 1137         sin6->sin6_len = sizeof(struct sockaddr_in6);
 1138         sin6->sin6_addr = ip6->ip6_src;
 1139         spidx->prefs = sizeof(struct in6_addr) << 3;
 1140 
 1141         sin6 = (struct sockaddr_in6 *)&spidx->dst;
 1142         bzero(sin6, sizeof(*sin6));
 1143         sin6->sin6_family = AF_INET6;
 1144         sin6->sin6_len = sizeof(struct sockaddr_in6);
 1145         sin6->sin6_addr = ip6->ip6_dst;
 1146         spidx->prefd = sizeof(struct in6_addr) << 3;
 1147 
 1148         return 0;
 1149 }
 1150 #endif
 1151 
 1152 static struct inpcbpolicy *
 1153 ipsec_newpcbpolicy()
 1154 {
 1155         struct inpcbpolicy *p;
 1156 
 1157         p = (struct inpcbpolicy *)malloc(sizeof(*p), M_SECA, M_NOWAIT);
 1158         return p;
 1159 }
 1160 
 1161 static void
 1162 ipsec_delpcbpolicy(p)
 1163         struct inpcbpolicy *p;
 1164 {
 1165 
 1166         free(p, M_SECA);
 1167 }
 1168 
 1169 /* initialize policy in PCB */
 1170 int
 1171 ipsec_init_pcbpolicy(so, pcb_sp)
 1172         struct socket *so;
 1173         struct inpcbpolicy **pcb_sp;
 1174 {
 1175         struct inpcbpolicy *new;
 1176         static int initialized = 0;
 1177         static struct secpolicy *in = NULL, *out = NULL;
 1178 
 1179         /* sanity check. */
 1180         if (so == NULL || pcb_sp == NULL)
 1181                 panic("ipsec_init_pcbpolicy: NULL pointer was passed.");
 1182 
 1183         if (!initialized) {
 1184                 if ((in = key_newsp(0)) == NULL)
 1185                         return ENOBUFS;
 1186                 if ((out = key_newsp(0)) == NULL) {
 1187                         key_freesp(in);
 1188                         in = NULL;
 1189                         return ENOBUFS;
 1190                 }
 1191 
 1192                 in->state = IPSEC_SPSTATE_ALIVE;
 1193                 in->policy = IPSEC_POLICY_ENTRUST;
 1194                 in->dir = IPSEC_DIR_INBOUND;
 1195                 in->readonly = 1;
 1196                 in->persist = 1;
 1197                 in->so = NULL;
 1198 
 1199                 out->state = IPSEC_SPSTATE_ALIVE;
 1200                 out->policy = IPSEC_POLICY_ENTRUST;
 1201                 out->dir = IPSEC_DIR_OUTBOUND;
 1202                 out->readonly = 1;
 1203                 out->persist = 1;
 1204                 out->so = NULL;
 1205 
 1206                 initialized++;
 1207         }
 1208 
 1209         new = ipsec_newpcbpolicy();
 1210         if (new == NULL) {
 1211                 ipseclog((LOG_DEBUG, "ipsec_init_pcbpolicy: No more memory.\n"));
 1212                 return ENOBUFS;
 1213         }
 1214         bzero(new, sizeof(*new));
 1215 
 1216         if (so->so_uidinfo->ui_uid == 0)        /* XXX */
 1217                 new->priv = 1;
 1218         else
 1219                 new->priv = 0;
 1220 
 1221         new->sp_in = in;
 1222         new->sp_in->refcnt++;
 1223         new->sp_out = out;
 1224         new->sp_out->refcnt++;
 1225 
 1226         *pcb_sp = new;
 1227 
 1228         return 0;
 1229 }
 1230 
 1231 /* copy old ipsec policy into new */
 1232 int
 1233 ipsec_copy_pcbpolicy(old, new)
 1234         struct inpcbpolicy *old, *new;
 1235 {
 1236 
 1237         if (new->sp_in)
 1238                 key_freesp(new->sp_in);
 1239         if (old->sp_in->policy == IPSEC_POLICY_IPSEC)
 1240                 new->sp_in = ipsec_deepcopy_policy(old->sp_in);
 1241         else {
 1242                 new->sp_in = old->sp_in;
 1243                 new->sp_in->refcnt++;
 1244         }
 1245 
 1246         if (new->sp_out)
 1247                 key_freesp(new->sp_out);
 1248         if (old->sp_out->policy == IPSEC_POLICY_IPSEC)
 1249                 new->sp_out = ipsec_deepcopy_policy(old->sp_out);
 1250         else {
 1251                 new->sp_out = old->sp_out;
 1252                 new->sp_out->refcnt++;
 1253         }
 1254 
 1255         new->priv = old->priv;
 1256 
 1257         return 0;
 1258 }
 1259 
 1260 #if 0
 1261 static int
 1262 ipsec_deepcopy_pcbpolicy(pcb_sp)
 1263         struct inpcbpolicy *pcb_sp;
 1264 {
 1265         struct secpolicy *sp;
 1266 
 1267         sp = ipsec_deepcopy_policy(pcb_sp->sp_in);
 1268         if (sp) {
 1269                 key_freesp(pcb_sp->sp_in);
 1270                 pcb_sp->sp_in = sp;
 1271         } else
 1272                 return ENOBUFS;
 1273 
 1274         sp = ipsec_deepcopy_policy(pcb_sp->sp_out);
 1275         if (sp) {
 1276                 key_freesp(pcb_sp->sp_out);
 1277                 pcb_sp->sp_out = sp;
 1278         } else
 1279                 return ENOBUFS;
 1280 
 1281         return 0;
 1282 }
 1283 #endif
 1284 
 1285 /* deep-copy a policy in PCB */
 1286 static struct secpolicy *
 1287 ipsec_deepcopy_policy(src)
 1288         struct secpolicy *src;
 1289 {
 1290         struct ipsecrequest *newchain = NULL;
 1291         struct ipsecrequest *p;
 1292         struct ipsecrequest **q;
 1293         struct ipsecrequest *r;
 1294         struct secpolicy *dst;
 1295 
 1296         if (src == NULL)
 1297                 return NULL;
 1298 
 1299         dst = key_newsp(0);
 1300         if (dst == NULL)
 1301                 return NULL;
 1302 
 1303         /*
 1304          * deep-copy IPsec request chain.  This is required since struct
 1305          * ipsecrequest is not reference counted.
 1306          */
 1307         q = &newchain;
 1308         for (p = src->req; p; p = p->next) {
 1309                 *q = (struct ipsecrequest *)malloc(sizeof(struct ipsecrequest),
 1310                         M_SECA, M_NOWAIT);
 1311                 if (*q == NULL)
 1312                         goto fail;
 1313                 bzero(*q, sizeof(**q));
 1314                 (*q)->next = NULL;
 1315 
 1316                 (*q)->saidx.proto = p->saidx.proto;
 1317                 (*q)->saidx.mode = p->saidx.mode;
 1318                 (*q)->level = p->level;
 1319                 (*q)->saidx.reqid = p->saidx.reqid;
 1320 
 1321                 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
 1322                 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
 1323 
 1324                 (*q)->sav = NULL;
 1325                 (*q)->sp = dst;
 1326 
 1327                 q = &((*q)->next);
 1328         }
 1329 
 1330         if (src->spidx)
 1331                 if (keydb_setsecpolicyindex(dst, src->spidx) != 0)
 1332                         goto fail;
 1333 
 1334         dst->req = newchain;
 1335         dst->state = src->state;
 1336         dst->policy = src->policy;
 1337         dst->dir = src->dir;
 1338         dst->so = src->so;
 1339         /* do not touch the refcnt fields */
 1340 
 1341         return dst;
 1342 
 1343 fail:
 1344         for (p = newchain; p; p = r) {
 1345                 r = p->next;
 1346                 free(p, M_SECA);
 1347                 p = NULL;
 1348         }
 1349         key_freesp(dst);
 1350         return NULL;
 1351 }
 1352 
 1353 /* set policy and ipsec request if present. */
 1354 static int
 1355 ipsec_set_policy(struct secpolicy **spp, int optname, caddr_t request,
 1356     size_t len, int priv)
 1357 {
 1358         struct sadb_x_policy *xpl;
 1359         struct secpolicy *newsp = NULL;
 1360         int error;
 1361 
 1362         /* sanity check. */
 1363         if (spp == NULL || *spp == NULL || request == NULL)
 1364                 return EINVAL;
 1365         if (len < sizeof(*xpl))
 1366                 return EINVAL;
 1367         xpl = (struct sadb_x_policy *)request;
 1368 
 1369         KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
 1370                 printf("ipsec_set_policy: passed policy\n");
 1371                 kdebug_sadb_x_policy((struct sadb_ext *)xpl));
 1372 
 1373         /* check policy type */
 1374         /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
 1375         if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD ||
 1376             xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
 1377                 return EINVAL;
 1378 
 1379         /* check privileged socket */
 1380         if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS)
 1381                 return EACCES;
 1382 
 1383         /* allocation new SP entry */
 1384         if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
 1385                 return error;
 1386 
 1387         newsp->state = IPSEC_SPSTATE_ALIVE;
 1388 
 1389         /* clear old SP and set new SP */
 1390         key_freesp(*spp);
 1391         *spp = newsp;
 1392         KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
 1393                 printf("ipsec_set_policy: new policy\n");
 1394                 kdebug_secpolicy(newsp));
 1395 
 1396         return 0;
 1397 }
 1398 
 1399 static int
 1400 ipsec_get_policy(sp, mp)
 1401         struct secpolicy *sp;
 1402         struct mbuf **mp;
 1403 {
 1404 
 1405         /* sanity check. */
 1406         if (sp == NULL || mp == NULL)
 1407                 return EINVAL;
 1408 
 1409         *mp = key_sp2msg(sp);
 1410         if (!*mp) {
 1411                 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n"));
 1412                 return ENOBUFS;
 1413         }
 1414 
 1415         (*mp)->m_type = MT_SOOPTS;
 1416         KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
 1417                 printf("ipsec_get_policy:\n");
 1418                 kdebug_mbuf(*mp));
 1419 
 1420         return 0;
 1421 }
 1422 
 1423 int
 1424 ipsec4_set_policy(inp, optname, request, len, priv)
 1425         struct inpcb *inp;
 1426         int optname;
 1427         caddr_t request;
 1428         size_t len;
 1429         int priv;
 1430 {
 1431         struct sadb_x_policy *xpl;
 1432         struct secpolicy **spp;
 1433 
 1434         /* sanity check. */
 1435         if (inp == NULL || request == NULL)
 1436                 return EINVAL;
 1437         if (len < sizeof(*xpl))
 1438                 return EINVAL;
 1439         xpl = (struct sadb_x_policy *)request;
 1440 
 1441         /* select direction */
 1442         switch (xpl->sadb_x_policy_dir) {
 1443         case IPSEC_DIR_INBOUND:
 1444                 spp = &inp->inp_sp->sp_in;
 1445                 break;
 1446         case IPSEC_DIR_OUTBOUND:
 1447                 spp = &inp->inp_sp->sp_out;
 1448                 break;
 1449         default:
 1450                 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
 1451                         xpl->sadb_x_policy_dir));
 1452                 return EINVAL;
 1453         }
 1454 
 1455         ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY);
 1456         return ipsec_set_policy(spp, optname, request, len, priv);
 1457 }
 1458 
 1459 int
 1460 ipsec4_get_policy(inp, request, len, mp)
 1461         struct inpcb *inp;
 1462         caddr_t request;
 1463         size_t len;
 1464         struct mbuf **mp;
 1465 {
 1466         struct sadb_x_policy *xpl;
 1467         struct secpolicy *sp;
 1468 
 1469         /* sanity check. */
 1470         if (inp == NULL || request == NULL || mp == NULL)
 1471                 return EINVAL;
 1472         if (inp->inp_sp == NULL)
 1473                 panic("policy in PCB is NULL");
 1474         if (len < sizeof(*xpl))
 1475                 return EINVAL;
 1476         xpl = (struct sadb_x_policy *)request;
 1477 
 1478         /* select direction */
 1479         switch (xpl->sadb_x_policy_dir) {
 1480         case IPSEC_DIR_INBOUND:
 1481                 sp = inp->inp_sp->sp_in;
 1482                 break;
 1483         case IPSEC_DIR_OUTBOUND:
 1484                 sp = inp->inp_sp->sp_out;
 1485                 break;
 1486         default:
 1487                 ipseclog((LOG_ERR, "ipsec4_get_policy: invalid direction=%u\n",
 1488                         xpl->sadb_x_policy_dir));
 1489                 return EINVAL;
 1490         }
 1491 
 1492         return ipsec_get_policy(sp, mp);
 1493 }
 1494 
 1495 /* delete policy in PCB */
 1496 int
 1497 ipsec4_delete_pcbpolicy(inp)
 1498         struct inpcb *inp;
 1499 {
 1500         /* sanity check. */
 1501         if (inp == NULL)
 1502                 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.");
 1503 
 1504         if (inp->inp_sp == NULL)
 1505                 return 0;
 1506 
 1507         if (inp->inp_sp->sp_in != NULL) {
 1508                 key_freesp(inp->inp_sp->sp_in);
 1509                 inp->inp_sp->sp_in = NULL;
 1510         }
 1511 
 1512         if (inp->inp_sp->sp_out != NULL) {
 1513                 key_freesp(inp->inp_sp->sp_out);
 1514                 inp->inp_sp->sp_out = NULL;
 1515         }
 1516 
 1517         ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY);
 1518 
 1519         ipsec_delpcbpolicy(inp->inp_sp);
 1520         inp->inp_sp = NULL;
 1521 
 1522         return 0;
 1523 }
 1524 
 1525 #ifdef INET6
 1526 int
 1527 ipsec6_set_policy(in6p, optname, request, len, priv)
 1528         struct in6pcb *in6p;
 1529         int optname;
 1530         caddr_t request;
 1531         size_t len;
 1532         int priv;
 1533 {
 1534         struct sadb_x_policy *xpl;
 1535         struct secpolicy **spp;
 1536 
 1537         /* sanity check. */
 1538         if (in6p == NULL || request == NULL)
 1539                 return EINVAL;
 1540         if (len < sizeof(*xpl))
 1541                 return EINVAL;
 1542         xpl = (struct sadb_x_policy *)request;
 1543 
 1544         /* select direction */
 1545         switch (xpl->sadb_x_policy_dir) {
 1546         case IPSEC_DIR_INBOUND:
 1547                 spp = &in6p->in6p_sp->sp_in;
 1548                 break;
 1549         case IPSEC_DIR_OUTBOUND:
 1550                 spp = &in6p->in6p_sp->sp_out;
 1551                 break;
 1552         default:
 1553                 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
 1554                         xpl->sadb_x_policy_dir));
 1555                 return EINVAL;
 1556         }
 1557 
 1558         ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY);
 1559         return ipsec_set_policy(spp, optname, request, len, priv);
 1560 }
 1561 
 1562 int
 1563 ipsec6_get_policy(in6p, request, len, mp)
 1564         struct in6pcb *in6p;
 1565         caddr_t request;
 1566         size_t len;
 1567         struct mbuf **mp;
 1568 {
 1569         struct sadb_x_policy *xpl;
 1570         struct secpolicy *sp;
 1571 
 1572         /* sanity check. */
 1573         if (in6p == NULL || request == NULL || mp == NULL)
 1574                 return EINVAL;
 1575         if (in6p->in6p_sp == NULL)
 1576                 panic("policy in PCB is NULL");
 1577         if (len < sizeof(*xpl))
 1578                 return EINVAL;
 1579         xpl = (struct sadb_x_policy *)request;
 1580 
 1581         /* select direction */
 1582         switch (xpl->sadb_x_policy_dir) {
 1583         case IPSEC_DIR_INBOUND:
 1584                 sp = in6p->in6p_sp->sp_in;
 1585                 break;
 1586         case IPSEC_DIR_OUTBOUND:
 1587                 sp = in6p->in6p_sp->sp_out;
 1588                 break;
 1589         default:
 1590                 ipseclog((LOG_ERR, "ipsec6_get_policy: invalid direction=%u\n",
 1591                         xpl->sadb_x_policy_dir));
 1592                 return EINVAL;
 1593         }
 1594 
 1595         return ipsec_get_policy(sp, mp);
 1596 }
 1597 
 1598 int
 1599 ipsec6_delete_pcbpolicy(in6p)
 1600         struct in6pcb *in6p;
 1601 {
 1602         /* sanity check. */
 1603         if (in6p == NULL)
 1604                 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.");
 1605 
 1606         if (in6p->in6p_sp == NULL)
 1607                 return 0;
 1608 
 1609         if (in6p->in6p_sp->sp_in != NULL) {
 1610                 key_freesp(in6p->in6p_sp->sp_in);
 1611                 in6p->in6p_sp->sp_in = NULL;
 1612         }
 1613 
 1614         if (in6p->in6p_sp->sp_out != NULL) {
 1615                 key_freesp(in6p->in6p_sp->sp_out);
 1616                 in6p->in6p_sp->sp_out = NULL;
 1617         }
 1618 
 1619         ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY);
 1620 
 1621         ipsec_delpcbpolicy(in6p->in6p_sp);
 1622         in6p->in6p_sp = NULL;
 1623 
 1624         return 0;
 1625 }
 1626 #endif
 1627 
 1628 /*
 1629  * return current level.
 1630  * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
 1631  */
 1632 u_int
 1633 ipsec_get_reqlevel(isr, af)
 1634         struct ipsecrequest *isr;
 1635         int af;
 1636 {
 1637         u_int level = 0;
 1638         u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev;
 1639 
 1640         /* sanity check */
 1641         if (isr == NULL || isr->sp == NULL)
 1642                 panic("ipsec_get_reqlevel: NULL pointer is passed.");
 1643 
 1644         /* set default level */
 1645         switch (af) {
 1646 #ifdef INET
 1647         case AF_INET:
 1648                 esp_trans_deflev = ip4_esp_trans_deflev;
 1649                 esp_net_deflev = ip4_esp_net_deflev;
 1650                 ah_trans_deflev = ip4_ah_trans_deflev;
 1651                 ah_net_deflev = ip4_ah_net_deflev;
 1652                 break;
 1653 #endif
 1654 #ifdef INET6
 1655         case AF_INET6:
 1656                 esp_trans_deflev = ip6_esp_trans_deflev;
 1657                 esp_net_deflev = ip6_esp_net_deflev;
 1658                 ah_trans_deflev = ip6_ah_trans_deflev;
 1659                 ah_net_deflev = ip6_ah_net_deflev;
 1660                 break;
 1661 #endif /* INET6 */
 1662         default:
 1663                 panic("key_get_reqlevel: Unknown family. %d",
 1664                         ((struct sockaddr *)&isr->sp->spidx->src)->sa_family);
 1665         }
 1666 
 1667         /* set level */
 1668         switch (isr->level) {
 1669         case IPSEC_LEVEL_DEFAULT:
 1670                 switch (isr->saidx.proto) {
 1671                 case IPPROTO_ESP:
 1672                         if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
 1673                                 level = esp_net_deflev;
 1674                         else
 1675                                 level = esp_trans_deflev;
 1676                         break;
 1677                 case IPPROTO_AH:
 1678                         if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
 1679                                 level = ah_net_deflev;
 1680                         else
 1681                                 level = ah_trans_deflev;
 1682                         break;
 1683                 case IPPROTO_IPCOMP:
 1684                         /*
 1685                          * we don't really care, as IPcomp document says that
 1686                          * we shouldn't compress small packets
 1687                          */
 1688                         level = IPSEC_LEVEL_USE;
 1689                         break;
 1690                 case IPPROTO_IPV4:
 1691                 case IPPROTO_IPV6:
 1692                         /* should never go into here */
 1693                         level = IPSEC_LEVEL_REQUIRE;
 1694                         break;
 1695                 default:
 1696                         panic("ipsec_get_reqlevel: "
 1697                                 "Illegal protocol defined %u\n",
 1698                                 isr->saidx.proto);
 1699                 }
 1700                 break;
 1701 
 1702         case IPSEC_LEVEL_USE:
 1703         case IPSEC_LEVEL_REQUIRE:
 1704                 level = isr->level;
 1705                 break;
 1706         case IPSEC_LEVEL_UNIQUE:
 1707                 level = IPSEC_LEVEL_REQUIRE;
 1708                 break;
 1709 
 1710         default:
 1711                 panic("ipsec_get_reqlevel: Illegal IPsec level %u",
 1712                         isr->level);
 1713         }
 1714 
 1715         return level;
 1716 }
 1717 
 1718 /*
 1719  * Check AH/ESP integrity.
 1720  * OUT:
 1721  *      0: valid
 1722  *      1: invalid
 1723  */
 1724 static int
 1725 ipsec_in_reject(sp, m)
 1726         struct secpolicy *sp;
 1727         struct mbuf *m;
 1728 {
 1729         struct ipsecrequest *isr;
 1730         u_int level;
 1731         int need_auth, need_conf, need_icv;
 1732 
 1733         KEYDEBUG(KEYDEBUG_IPSEC_DATA,
 1734                 printf("ipsec_in_reject: using SP\n");
 1735                 kdebug_secpolicy(sp));
 1736 
 1737         /* check policy */
 1738         switch (sp->policy) {
 1739         case IPSEC_POLICY_DISCARD:
 1740                 return 1;
 1741         case IPSEC_POLICY_BYPASS:
 1742         case IPSEC_POLICY_NONE:
 1743                 return 0;
 1744 
 1745         case IPSEC_POLICY_IPSEC:
 1746                 break;
 1747 
 1748         case IPSEC_POLICY_ENTRUST:
 1749         default:
 1750                 panic("ipsec_in_reject: Invalid policy found. %d", sp->policy);
 1751         }
 1752 
 1753         need_auth = 0;
 1754         need_conf = 0;
 1755         need_icv = 0;
 1756 
 1757         /* XXX should compare policy against ipsec header history */
 1758 
 1759         for (isr = sp->req; isr != NULL; isr = isr->next) {
 1760                 /* get current level */
 1761                 level = ipsec_get_reqlevel(isr, AF_INET);
 1762 
 1763                 switch (isr->saidx.proto) {
 1764                 case IPPROTO_ESP:
 1765                         if (level == IPSEC_LEVEL_REQUIRE) {
 1766                                 need_conf++;
 1767 
 1768                                 if (isr->sav != NULL
 1769                                  && isr->sav->flags == SADB_X_EXT_NONE
 1770                                  && isr->sav->alg_auth != SADB_AALG_NONE)
 1771                                         need_icv++;
 1772                         }
 1773                         break;
 1774                 case IPPROTO_AH:
 1775                         if (level == IPSEC_LEVEL_REQUIRE) {
 1776                                 need_auth++;
 1777                                 need_icv++;
 1778                         }
 1779                         break;
 1780                 case IPPROTO_IPCOMP:
 1781                         /*
 1782                          * we don't really care, as IPcomp document says that
 1783                          * we shouldn't compress small packets, IPComp policy
 1784                          * should always be treated as being in "use" level.
 1785                          */
 1786                         break;
 1787                 case IPPROTO_IPV4:
 1788                 case IPPROTO_IPV6:
 1789                         /*
 1790                          * XXX what shall we do, until introducing more complex
 1791                          * policy checking code?
 1792                          */
 1793                         break;
 1794                 }
 1795         }
 1796 
 1797         KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
 1798                 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
 1799                         need_auth, need_conf, need_icv, m->m_flags));
 1800 
 1801         if ((need_conf && !(m->m_flags & M_DECRYPTED))
 1802          || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM))
 1803          || (need_auth && !(m->m_flags & M_AUTHIPHDR)))
 1804                 return 1;
 1805 
 1806         return 0;
 1807 }
 1808 
 1809 /*
 1810  * Check AH/ESP integrity.
 1811  * This function is called from tcp_input(), udp_input(),
 1812  * and {ah,esp}4_input for tunnel mode
 1813  */
 1814 int
 1815 ipsec4_in_reject_so(m, so)
 1816         struct mbuf *m;
 1817         struct socket *so;
 1818 {
 1819         struct secpolicy *sp = NULL;
 1820         int error;
 1821         int result;
 1822 
 1823         /* sanity check */
 1824         if (m == NULL)
 1825                 return 0;       /* XXX should be panic ? */
 1826 
 1827         /* get SP for this packet.
 1828          * When we are called from ip_forward(), we call
 1829          * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
 1830          */
 1831         if (so == NULL)
 1832                 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
 1833                     IP_FORWARDING, &error);
 1834         else
 1835                 sp = ipsec4_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
 1836 
 1837         /* XXX should be panic ? -> No, there may be error. */
 1838         if (sp == NULL)
 1839                 return 0;
 1840 
 1841         result = ipsec_in_reject(sp, m);
 1842         KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
 1843                 printf("DP ipsec4_in_reject_so call free SP:%p\n", sp));
 1844         key_freesp(sp);
 1845 
 1846         return result;
 1847 }
 1848 
 1849 int
 1850 ipsec4_in_reject(m, inp)
 1851         struct mbuf *m;
 1852         struct inpcb *inp;
 1853 {
 1854         if (inp == NULL)
 1855                 return ipsec4_in_reject_so(m, NULL);
 1856         if (inp->inp_socket)
 1857                 return ipsec4_in_reject_so(m, inp->inp_socket);
 1858         else
 1859                 panic("ipsec4_in_reject: invalid inpcb/socket");
 1860 }
 1861 
 1862 #ifdef INET6
 1863 /*
 1864  * Check AH/ESP integrity.
 1865  * This function is called from tcp6_input(), udp6_input(),
 1866  * and {ah,esp}6_input for tunnel mode
 1867  */
 1868 int
 1869 ipsec6_in_reject_so(m, so)
 1870         struct mbuf *m;
 1871         struct socket *so;
 1872 {
 1873         struct secpolicy *sp = NULL;
 1874         int error;
 1875         int result;
 1876 
 1877         /* sanity check */
 1878         if (m == NULL)
 1879                 return 0;       /* XXX should be panic ? */
 1880 
 1881         /* get SP for this packet.
 1882          * When we are called from ip_forward(), we call
 1883          * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
 1884          */
 1885         if (so == NULL)
 1886                 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
 1887                     IP_FORWARDING, &error);
 1888         else
 1889                 sp = ipsec6_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
 1890 
 1891         if (sp == NULL)
 1892                 return 0;       /* XXX should be panic ? */
 1893 
 1894         result = ipsec_in_reject(sp, m);
 1895         KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
 1896                 printf("DP ipsec6_in_reject_so call free SP:%p\n", sp));
 1897         key_freesp(sp);
 1898 
 1899         return result;
 1900 }
 1901 
 1902 int
 1903 ipsec6_in_reject(m, in6p)
 1904         struct mbuf *m;
 1905         struct in6pcb *in6p;
 1906 {
 1907         if (in6p == NULL)
 1908                 return ipsec6_in_reject_so(m, NULL);
 1909         if (in6p->in6p_socket)
 1910                 return ipsec6_in_reject_so(m, in6p->in6p_socket);
 1911         else
 1912                 panic("ipsec6_in_reject: invalid in6p/socket");
 1913 }
 1914 #endif
 1915 
 1916 /*
 1917  * compute the byte size to be occupied by IPsec header.
 1918  * in case it is tunneled, it includes the size of outer IP header.
 1919  * NOTE: SP passed is free in this function.
 1920  */
 1921 static size_t
 1922 ipsec_hdrsiz(sp)
 1923         struct secpolicy *sp;
 1924 {
 1925         struct ipsecrequest *isr;
 1926         size_t siz, clen;
 1927 
 1928         KEYDEBUG(KEYDEBUG_IPSEC_DATA,
 1929                 printf("ipsec_hdrsiz: using SP\n");
 1930                 kdebug_secpolicy(sp));
 1931 
 1932         /* check policy */
 1933         switch (sp->policy) {
 1934         case IPSEC_POLICY_DISCARD:
 1935         case IPSEC_POLICY_BYPASS:
 1936         case IPSEC_POLICY_NONE:
 1937                 return 0;
 1938 
 1939         case IPSEC_POLICY_IPSEC:
 1940                 break;
 1941 
 1942         case IPSEC_POLICY_ENTRUST:
 1943         default:
 1944                 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy);
 1945         }
 1946 
 1947         siz = 0;
 1948 
 1949         for (isr = sp->req; isr != NULL; isr = isr->next) {
 1950 
 1951                 clen = 0;
 1952 
 1953                 switch (isr->saidx.proto) {
 1954                 case IPPROTO_ESP:
 1955 #ifdef IPSEC_ESP
 1956                         clen = esp_hdrsiz(isr);
 1957 #else
 1958                         clen = 0;       /* XXX */
 1959 #endif
 1960                         break;
 1961                 case IPPROTO_AH:
 1962                         clen = ah_hdrsiz(isr);
 1963                         break;
 1964                 case IPPROTO_IPCOMP:
 1965                         clen = sizeof(struct ipcomp);
 1966                         break;
 1967                 case IPPROTO_IPV4:
 1968                 case IPPROTO_IPV6:
 1969                         /* the next "if" clause will compute it */
 1970                         clen = 0;
 1971                         break;
 1972                 }
 1973 
 1974                 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
 1975                         switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) {
 1976                         case AF_INET:
 1977                                 clen += sizeof(struct ip);
 1978                                 break;
 1979 #ifdef INET6
 1980                         case AF_INET6:
 1981                                 clen += sizeof(struct ip6_hdr);
 1982                                 break;
 1983 #endif
 1984                         default:
 1985                                 ipseclog((LOG_ERR, "ipsec_hdrsiz: "
 1986                                     "unknown AF %d in IPsec tunnel SA\n",
 1987                                     ((struct sockaddr *)&isr->saidx.dst)->sa_family));
 1988                                 break;
 1989                         }
 1990                 }
 1991                 siz += clen;
 1992         }
 1993 
 1994         return siz;
 1995 }
 1996 
 1997 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
 1998 size_t
 1999 ipsec4_hdrsiz(m, dir, inp)
 2000         struct mbuf *m;
 2001         u_int dir;
 2002         struct inpcb *inp;
 2003 {
 2004         struct secpolicy *sp = NULL;
 2005         int error;
 2006         size_t size;
 2007 
 2008         /* sanity check */
 2009         if (m == NULL)
 2010                 return 0;       /* XXX should be panic ? */
 2011         if (inp != NULL && inp->inp_socket == NULL)
 2012                 panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
 2013 
 2014         /* get SP for this packet.
 2015          * When we are called from ip_forward(), we call
 2016          * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
 2017          */
 2018         if (inp == NULL)
 2019                 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
 2020         else
 2021                 sp = ipsec4_getpolicybysock(m, dir, inp->inp_socket, &error);
 2022 
 2023         if (sp == NULL)
 2024                 return 0;       /* XXX should be panic ? */
 2025 
 2026         size = ipsec_hdrsiz(sp);
 2027         KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
 2028                 printf("DP ipsec4_hdrsiz call free SP:%p\n", sp));
 2029         KEYDEBUG(KEYDEBUG_IPSEC_DATA,
 2030                 printf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size));
 2031         key_freesp(sp);
 2032 
 2033         return size;
 2034 }
 2035 
 2036 #ifdef INET6
 2037 /* This function is called from ipsec6_hdrsize_tcp(),
 2038  * and maybe from ip6_forward.()
 2039  */
 2040 size_t
 2041 ipsec6_hdrsiz(m, dir, in6p)
 2042         struct mbuf *m;
 2043         u_int dir;
 2044         struct in6pcb *in6p;
 2045 {
 2046         struct secpolicy *sp = NULL;
 2047         int error;
 2048         size_t size;
 2049 
 2050         /* sanity check */
 2051         if (m == NULL)
 2052                 return 0;       /* XXX should be panic ? */
 2053         if (in6p != NULL && in6p->in6p_socket == NULL)
 2054                 panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
 2055 
 2056         /* get SP for this packet */
 2057         /* XXX Is it right to call with IP_FORWARDING. */
 2058         if (in6p == NULL)
 2059                 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
 2060         else
 2061                 sp = ipsec6_getpolicybysock(m, dir, in6p->in6p_socket, &error);
 2062 
 2063         if (sp == NULL)
 2064                 return 0;
 2065         size = ipsec_hdrsiz(sp);
 2066         KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
 2067                 printf("DP ipsec6_hdrsiz call free SP:%p\n", sp));
 2068         KEYDEBUG(KEYDEBUG_IPSEC_DATA,
 2069                 printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size));
 2070         key_freesp(sp);
 2071 
 2072         return size;
 2073 }
 2074 #endif /* INET6 */
 2075 
 2076 #ifdef INET
 2077 /*
 2078  * encapsulate for ipsec tunnel.
 2079  * ip->ip_src must be fixed later on.
 2080  */
 2081 static int
 2082 ipsec4_encapsulate(m, sav)
 2083         struct mbuf *m;
 2084         struct secasvar *sav;
 2085 {
 2086         struct ip *oip;
 2087         struct ip *ip;
 2088         size_t hlen;
 2089         size_t plen;
 2090 
 2091         /* can't tunnel between different AFs */
 2092         if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
 2093                 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
 2094          || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
 2095                 m_freem(m);
 2096                 return EINVAL;
 2097         }
 2098 #if 0
 2099         /* XXX if the dst is myself, perform nothing. */
 2100         if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
 2101                 m_freem(m);
 2102                 return EINVAL;
 2103         }
 2104 #endif
 2105 
 2106         if (m->m_len < sizeof(*ip))
 2107                 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
 2108 
 2109         ip = mtod(m, struct ip *);
 2110         hlen = ip->ip_hl << 2;
 2111 
 2112         if (m->m_len != hlen)
 2113                 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
 2114 
 2115         /* generate header checksum */
 2116         ip->ip_sum = 0;
 2117         ip->ip_sum = in_cksum(m, hlen);
 2118 
 2119         plen = m->m_pkthdr.len;
 2120 
 2121         /*
 2122          * grow the mbuf to accomodate the new IPv4 header.
 2123          * NOTE: IPv4 options will never be copied.
 2124          */
 2125         if (M_LEADINGSPACE(m->m_next) < hlen) {
 2126                 struct mbuf *n;
 2127                 MGET(n, M_DONTWAIT, MT_DATA);
 2128                 if (!n) {
 2129                         m_freem(m);
 2130                         return ENOBUFS;
 2131                 }
 2132                 n->m_len = hlen;
 2133                 n->m_next = m->m_next;
 2134                 m->m_next = n;
 2135         } else {
 2136                 m->m_next->m_len += hlen;
 2137                 m->m_next->m_data -= hlen;
 2138         }
 2139         oip = mtod(m->m_next, struct ip *);
 2140         m->m_pkthdr.len += hlen;
 2141         ip = mtod(m, struct ip *);
 2142         ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
 2143         m->m_len = sizeof(struct ip);
 2144         m->m_pkthdr.len -= (hlen - sizeof(struct ip));
 2145 
 2146         /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
 2147         /* ECN consideration. */
 2148         ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
 2149         ip->ip_hl = sizeof(struct ip) >> 2;
 2150         ip->ip_off &= htons(~IP_OFFMASK);
 2151         ip->ip_off &= htons(~IP_MF);
 2152         switch (ip4_ipsec_dfbit) {
 2153         case 0: /* clear DF bit */
 2154                 ip->ip_off &= htons(~IP_DF);
 2155                 break;
 2156         case 1: /* set DF bit */
 2157                 ip->ip_off |= htons(IP_DF);
 2158                 break;
 2159         default:        /* copy DF bit */
 2160                 break;
 2161         }
 2162         ip->ip_p = IPPROTO_IPIP;
 2163         if (plen + sizeof(struct ip) < IP_MAXPACKET)
 2164                 ip->ip_len = htons(plen + sizeof(struct ip));
 2165         else {
 2166                 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
 2167                     "leave ip_len as is (invalid packet)\n"));
 2168         }
 2169         ip->ip_id = ip_newid();
 2170         bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
 2171                 &ip->ip_src, sizeof(ip->ip_src));
 2172         bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
 2173                 &ip->ip_dst, sizeof(ip->ip_dst));
 2174         ip->ip_ttl = IPDEFTTL;
 2175 
 2176         /* XXX Should ip_src be updated later ? */
 2177 
 2178         return 0;
 2179 }
 2180 #endif /* INET */
 2181 
 2182 #ifdef INET6
 2183 static int
 2184 ipsec6_encapsulate(m, sav)
 2185         struct mbuf *m;
 2186         struct secasvar *sav;
 2187 {
 2188         struct ip6_hdr *oip6;
 2189         struct ip6_hdr *ip6;
 2190         size_t plen;
 2191         int error;
 2192         struct sockaddr_in6 sa6;
 2193 
 2194         /* can't tunnel between different AFs */
 2195         if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
 2196                 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
 2197          || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
 2198                 m_freem(m);
 2199                 return EINVAL;
 2200         }
 2201 #if 0
 2202         /* XXX if the dst is myself, perform nothing. */
 2203         if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
 2204                 m_freem(m);
 2205                 return EINVAL;
 2206         }
 2207 #endif
 2208 
 2209         plen = m->m_pkthdr.len;
 2210 
 2211         /*
 2212          * grow the mbuf to accomodate the new IPv6 header.
 2213          */
 2214         if (m->m_len != sizeof(struct ip6_hdr))
 2215                 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
 2216         if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
 2217                 struct mbuf *n;
 2218                 MGET(n, M_DONTWAIT, MT_DATA);
 2219                 if (!n) {
 2220                         m_freem(m);
 2221                         return ENOBUFS;
 2222                 }
 2223                 n->m_len = sizeof(struct ip6_hdr);
 2224                 n->m_next = m->m_next;
 2225                 m->m_next = n;
 2226                 m->m_pkthdr.len += sizeof(struct ip6_hdr);
 2227                 oip6 = mtod(n, struct ip6_hdr *);
 2228         } else {
 2229                 m->m_next->m_len += sizeof(struct ip6_hdr);
 2230                 m->m_next->m_data -= sizeof(struct ip6_hdr);
 2231                 m->m_pkthdr.len += sizeof(struct ip6_hdr);
 2232                 oip6 = mtod(m->m_next, struct ip6_hdr *);
 2233         }
 2234         ip6 = mtod(m, struct ip6_hdr *);
 2235         ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
 2236 
 2237         /* Fake link-local scope-class addresses */
 2238         in6_clearscope(&oip6->ip6_src);
 2239         in6_clearscope(&oip6->ip6_dst);
 2240 
 2241         /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
 2242         /* ECN consideration. */
 2243         ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
 2244         if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
 2245                 ip6->ip6_plen = htons(plen);
 2246         else {
 2247                 /* ip6->ip6_plen will be updated in ip6_output() */
 2248         }
 2249         ip6->ip6_nxt = IPPROTO_IPV6;
 2250 
 2251         sa6 = *(struct sockaddr_in6 *)&sav->sah->saidx.src;
 2252         if ((error = sa6_embedscope(&sa6, 0)) != 0)
 2253                 return (error);
 2254         ip6->ip6_src = sa6.sin6_addr;
 2255 
 2256         sa6 = *(struct sockaddr_in6 *)&sav->sah->saidx.dst;
 2257         if ((error = sa6_embedscope(&sa6, 0)) != 0)
 2258                 return (error);
 2259         ip6->ip6_dst = sa6.sin6_addr;
 2260 
 2261         ip6->ip6_hlim = IPV6_DEFHLIM;
 2262 
 2263         /* XXX Should ip6_src be updated later ? */
 2264 
 2265         return 0;
 2266 }
 2267 #endif /* INET6 */
 2268 
 2269 /*
 2270  * Check the variable replay window.
 2271  * ipsec_chkreplay() performs replay check before ICV verification.
 2272  * ipsec_updatereplay() updates replay bitmap.  This must be called after
 2273  * ICV verification (it also performs replay check, which is usually done
 2274  * beforehand).
 2275  * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
 2276  *
 2277  * based on RFC 2401.
 2278  *
 2279  * XXX need to update for 64bit sequence number - 2401bis
 2280  */
 2281 int
 2282 ipsec_chkreplay(seq, sav)
 2283         u_int32_t seq;
 2284         struct secasvar *sav;
 2285 {
 2286         const struct secreplay *replay;
 2287         u_int32_t diff;
 2288         int fr;
 2289         u_int32_t wsizeb;       /* constant: bits of window size */
 2290         int frlast;             /* constant: last frame */
 2291 
 2292         /* sanity check */
 2293         if (sav == NULL)
 2294                 panic("ipsec_chkreplay: NULL pointer was passed.");
 2295 
 2296         replay = sav->replay;
 2297 
 2298         if (replay->wsize == 0)
 2299                 return 1;       /* no need to check replay. */
 2300 
 2301         /* constant */
 2302         frlast = replay->wsize - 1;
 2303         wsizeb = replay->wsize << 3;
 2304 
 2305         /* sequence number of 0 is invalid */
 2306         if (seq == 0)
 2307                 return 0;
 2308 
 2309         /* first time is always okay */
 2310         if (replay->count == 0)
 2311                 return 1;
 2312 
 2313         if (seq > replay->lastseq) {
 2314                 /* larger sequences are okay */
 2315                 return 1;
 2316         } else {
 2317                 /* seq is equal or less than lastseq. */
 2318                 diff = replay->lastseq - seq;
 2319 
 2320                 /* over range to check, i.e. too old or wrapped */
 2321                 if (diff >= wsizeb)
 2322                         return 0;
 2323 
 2324                 fr = frlast - diff / 8;
 2325 
 2326                 /* this packet already seen ? */
 2327                 if (replay->bitmap[fr] & (1 << (diff % 8)))
 2328                         return 0;
 2329 
 2330                 /* out of order but good */
 2331                 return 1;
 2332         }
 2333 }
 2334 
 2335 /*
 2336  * check replay counter whether to update or not.
 2337  * OUT: 0:      OK
 2338  *      1:      NG
 2339  * XXX need to update for 64bit sequence number - 2401bis
 2340  */
 2341 int
 2342 ipsec_updatereplay(seq, sav)
 2343         u_int32_t seq;
 2344         struct secasvar *sav;
 2345 {
 2346         struct secreplay *replay;
 2347         u_int64_t diff;
 2348         int fr;
 2349         u_int32_t wsizeb;       /* constant: bits of window size */
 2350         int frlast;             /* constant: last frame */
 2351 
 2352         /* sanity check */
 2353         if (sav == NULL)
 2354                 panic("ipsec_chkreplay: NULL pointer was passed.");
 2355 
 2356         replay = sav->replay;
 2357 
 2358         if (replay->wsize == 0)
 2359                 goto ok;        /* no need to check replay. */
 2360 
 2361         /* constant */
 2362         frlast = replay->wsize - 1;
 2363         wsizeb = replay->wsize << 3;
 2364 
 2365         /* sequence number of 0 is invalid */
 2366         if (seq == 0)
 2367                 return 1;
 2368 
 2369         /* first time */
 2370         if (replay->count == 0) {
 2371                 replay->lastseq = seq;
 2372                 bzero(replay->bitmap, replay->wsize);
 2373                 replay->bitmap[frlast] = 1;
 2374                 goto ok;
 2375         }
 2376 
 2377         if (seq > replay->lastseq) {
 2378                 /* seq is larger than lastseq. */
 2379                 diff = seq - replay->lastseq;
 2380 
 2381                 /* new larger sequence number */
 2382                 if (diff < wsizeb) {
 2383                         /* In window */
 2384                         /* set bit for this packet */
 2385                         vshiftl(replay->bitmap, diff, replay->wsize);
 2386                         replay->bitmap[frlast] |= 1;
 2387                 } else {
 2388                         /* this packet has a "way larger" */
 2389                         bzero(replay->bitmap, replay->wsize);
 2390                         replay->bitmap[frlast] = 1;
 2391                 }
 2392                 replay->lastseq = seq;
 2393 
 2394                 /* larger is good */
 2395         } else {
 2396                 /* seq is equal or less than lastseq. */
 2397                 diff = replay->lastseq - seq;
 2398 
 2399                 /* over range to check, i.e. too old or wrapped */
 2400                 if (diff >= wsizeb)
 2401                         return 1;
 2402 
 2403                 fr = frlast - diff / 8;
 2404 
 2405                 /* this packet already seen ? */
 2406                 if (replay->bitmap[fr] & (1 << (diff % 8)))
 2407                         return 1;
 2408 
 2409                 /* mark as seen */
 2410                 replay->bitmap[fr] |= (1 << (diff % 8));
 2411 
 2412                 /* out of order but good */
 2413         }
 2414 
 2415 ok:
 2416         if (replay->count == 0xffffffff) {
 2417 
 2418                 /* set overflow flag */
 2419                 replay->overflow++;
 2420 
 2421                 /* don't increment, no more packets accepted */
 2422                 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
 2423                         return 1;
 2424 
 2425                 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
 2426                     replay->overflow, ipsec_logsastr(sav)));
 2427         }
 2428 
 2429         replay->count++;
 2430 
 2431         return 0;
 2432 }
 2433 
 2434 /*
 2435  * shift variable length buffer to left.
 2436  * IN:  bitmap: pointer to the buffer
 2437  *      nbit:   the number of to shift.
 2438  *      wsize:  buffer size (bytes).
 2439  */
 2440 static void
 2441 vshiftl(bitmap, nbit, wsize)
 2442         unsigned char *bitmap;
 2443         int nbit, wsize;
 2444 {
 2445         int s, j, i;
 2446         unsigned char over;
 2447 
 2448         for (j = 0; j < nbit; j += 8) {
 2449                 s = (nbit - j < 8) ? (nbit - j): 8;
 2450                 bitmap[0] <<= s;
 2451                 for (i = 1; i < wsize; i++) {
 2452                         over = (bitmap[i] >> (8 - s));
 2453                         bitmap[i] <<= s;
 2454                         bitmap[i - 1] |= over;
 2455                 }
 2456         }
 2457 
 2458         return;
 2459 }
 2460 
 2461 const char *
 2462 ipsec4_logpacketstr(ip, spi)
 2463         struct ip *ip;
 2464         u_int32_t spi;
 2465 {
 2466         static char buf[256];
 2467         char *p;
 2468         u_int8_t *s, *d;
 2469 
 2470         s = (u_int8_t *)(&ip->ip_src);
 2471         d = (u_int8_t *)(&ip->ip_dst);
 2472 
 2473         p = buf;
 2474         snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
 2475         while (p && *p)
 2476                 p++;
 2477         snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u",
 2478                 s[0], s[1], s[2], s[3]);
 2479         while (p && *p)
 2480                 p++;
 2481         snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u",
 2482                 d[0], d[1], d[2], d[3]);
 2483         while (p && *p)
 2484                 p++;
 2485         snprintf(p, sizeof(buf) - (p - buf), ")");
 2486 
 2487         return buf;
 2488 }
 2489 
 2490 #ifdef INET6
 2491 const char *
 2492 ipsec6_logpacketstr(ip6, spi)
 2493         struct ip6_hdr *ip6;
 2494         u_int32_t spi;
 2495 {
 2496         static char buf[256];
 2497         char *p;
 2498 
 2499         p = buf;
 2500         snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
 2501         while (p && *p)
 2502                 p++;
 2503         snprintf(p, sizeof(buf) - (p - buf), "src=%s",
 2504                 ip6_sprintf(&ip6->ip6_src));
 2505         while (p && *p)
 2506                 p++;
 2507         snprintf(p, sizeof(buf) - (p - buf), " dst=%s",
 2508                 ip6_sprintf(&ip6->ip6_dst));
 2509         while (p && *p)
 2510                 p++;
 2511         snprintf(p, sizeof(buf) - (p - buf), ")");
 2512 
 2513         return buf;
 2514 }
 2515 #endif /* INET6 */
 2516 
 2517 const char *
 2518 ipsec_logsastr(sav)
 2519         struct secasvar *sav;
 2520 {
 2521         static char buf[256];
 2522         char *p;
 2523         struct secasindex *saidx = &sav->sah->saidx;
 2524 
 2525         /* validity check */
 2526         if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
 2527                         != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family)
 2528                 panic("ipsec_logsastr: family mismatched.");
 2529 
 2530         p = buf;
 2531         snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
 2532         while (p && *p)
 2533                 p++;
 2534         if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) {
 2535                 u_int8_t *s, *d;
 2536                 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr;
 2537                 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr;
 2538                 snprintf(p, sizeof(buf) - (p - buf),
 2539                         "src=%d.%d.%d.%d dst=%d.%d.%d.%d",
 2540                         s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
 2541         }
 2542 #ifdef INET6
 2543         else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) {
 2544                 snprintf(p, sizeof(buf) - (p - buf),
 2545                         "src=%s",
 2546                         ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr));
 2547                 while (p && *p)
 2548                         p++;
 2549                 snprintf(p, sizeof(buf) - (p - buf),
 2550                         " dst=%s",
 2551                         ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr));
 2552         }
 2553 #endif
 2554         while (p && *p)
 2555                 p++;
 2556         snprintf(p, sizeof(buf) - (p - buf), ")");
 2557 
 2558         return buf;
 2559 }
 2560 
 2561 void
 2562 ipsec_dumpmbuf(m)
 2563         struct mbuf *m;
 2564 {
 2565         int totlen;
 2566         int i;
 2567         u_char *p;
 2568 
 2569         totlen = 0;
 2570         printf("---\n");
 2571         while (m) {
 2572                 p = mtod(m, u_char *);
 2573                 for (i = 0; i < m->m_len; i++) {
 2574                         printf("%02x ", p[i]);
 2575                         totlen++;
 2576                         if (totlen % 16 == 0)
 2577                                 printf("\n");
 2578                 }
 2579                 m = m->m_next;
 2580         }
 2581         if (totlen % 16 != 0)
 2582                 printf("\n");
 2583         printf("---\n");
 2584 }
 2585 
 2586 #ifdef INET
 2587 static int
 2588 ipsec4_checksa(isr, state)
 2589         struct ipsecrequest *isr;
 2590         struct ipsec_output_state *state;
 2591 {
 2592         struct ip *ip;
 2593         struct secasindex saidx;
 2594         struct sockaddr_in *sin;
 2595 
 2596         /* make SA index for search proper SA */
 2597         ip = mtod(state->m, struct ip *);
 2598         bcopy(&isr->saidx, &saidx, sizeof(saidx));
 2599         saidx.mode = isr->saidx.mode;
 2600         saidx.reqid = isr->saidx.reqid;
 2601         sin = (struct sockaddr_in *)&saidx.src;
 2602         if (sin->sin_len == 0) {
 2603                 bzero(sin, sizeof(*sin));
 2604                 sin->sin_len = sizeof(*sin);
 2605                 sin->sin_family = AF_INET;
 2606                 sin->sin_port = IPSEC_PORT_ANY;
 2607                 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(sin->sin_addr));
 2608         }
 2609         sin = (struct sockaddr_in *)&saidx.dst;
 2610         if (sin->sin_len == 0) {
 2611                 bzero(sin, sizeof(*sin));
 2612                 sin->sin_len = sizeof(*sin);
 2613                 sin->sin_family = AF_INET;
 2614                 sin->sin_port = IPSEC_PORT_ANY;
 2615                 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(sin->sin_addr));
 2616         }
 2617 
 2618         return key_checkrequest(isr, &saidx);
 2619 }
 2620 /*
 2621  * IPsec output logic for IPv4.
 2622  */
 2623 int
 2624 ipsec4_output(struct ipsec_output_state *state, struct secpolicy *sp,
 2625     int flags)
 2626 {
 2627         struct ip *ip = NULL;
 2628         struct ipsecrequest *isr = NULL;
 2629         int s;
 2630         int error;
 2631         struct sockaddr_in *dst4;
 2632 
 2633         if (!state)
 2634                 panic("state == NULL in ipsec4_output");
 2635         if (!state->m)
 2636                 panic("state->m == NULL in ipsec4_output");
 2637         if (!state->ro)
 2638                 panic("state->ro == NULL in ipsec4_output");
 2639         if (!state->dst)
 2640                 panic("state->dst == NULL in ipsec4_output");
 2641         state->encap = 0;
 2642 
 2643         KEYDEBUG(KEYDEBUG_IPSEC_DATA,
 2644                 printf("ipsec4_output: applyed SP\n");
 2645                 kdebug_secpolicy(sp));
 2646 
 2647         for (isr = sp->req; isr != NULL; isr = isr->next) {
 2648 
 2649 #if 0   /* give up to check restriction of transport mode */
 2650         /* XXX but should be checked somewhere */
 2651                 /*
 2652                  * some of the IPsec operation must be performed only in
 2653                  * originating case.
 2654                  */
 2655                 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT
 2656                  && (flags & IP_FORWARDING))
 2657                         continue;
 2658 #endif
 2659                 error = ipsec4_checksa(isr, state);
 2660                 if (error != 0) {
 2661                         /*
 2662                          * IPsec processing is required, but no SA found.
 2663                          * I assume that key_acquire() had been called
 2664                          * to get/establish the SA. Here I discard
 2665                          * this packet because it is responsibility for
 2666                          * upper layer to retransmit the packet.
 2667                          */
 2668                         ipsecstat.out_nosa++;
 2669                         goto bad;
 2670                 }
 2671 
 2672                 /* validity check */
 2673                 if (isr->sav == NULL) {
 2674                         switch (ipsec_get_reqlevel(isr, AF_INET)) {
 2675                         case IPSEC_LEVEL_USE:
 2676                                 continue;
 2677                         case IPSEC_LEVEL_REQUIRE:
 2678                                 if (isr->saidx.proto == AF_INET ||
 2679                                     isr->saidx.proto == AF_INET6)
 2680                                         break;
 2681                                 /* must be not reached here. */
 2682                                 panic("ipsec4_output: no SA found, but required.");
 2683                         }
 2684                 }
 2685 
 2686                 /*
 2687                  * If there is no valid SA, we give up to process any
 2688                  * more.  In such a case, the SA's status is changed
 2689                  * from DYING to DEAD after allocating.  If a packet
 2690                  * send to the receiver by dead SA, the receiver can
 2691                  * not decode a packet because SA has been dead.
 2692                  */
 2693                 if (isr->sav->state != SADB_SASTATE_MATURE
 2694                  && isr->sav->state != SADB_SASTATE_DYING) {
 2695                         ipsecstat.out_nosa++;
 2696                         error = EINVAL;
 2697                         goto bad;
 2698                 }
 2699 
 2700                 /*
 2701                  * There may be the case that SA status will be changed when
 2702                  * we are refering to one. So calling splsoftnet().
 2703                  */
 2704                 s = splsoftnet();
 2705 
 2706                 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
 2707                         /*
 2708                          * build IPsec tunnel.
 2709                          */
 2710                         /* XXX should be processed with other familiy */
 2711                         if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) {
 2712                                 ipseclog((LOG_ERR, "ipsec4_output: "
 2713                                     "family mismatched between inner and outer spi=%u\n",
 2714                                     (u_int32_t)ntohl(isr->sav->spi)));
 2715                                 splx(s);
 2716                                 error = EAFNOSUPPORT;
 2717                                 goto bad;
 2718                         }
 2719 
 2720                         state->m = ipsec4_splithdr(state->m);
 2721                         if (!state->m) {
 2722                                 splx(s);
 2723                                 error = ENOMEM;
 2724                                 goto bad;
 2725                         }
 2726                         error = ipsec4_encapsulate(state->m, isr->sav);
 2727                         splx(s);
 2728                         if (error) {
 2729                                 state->m = NULL;
 2730                                 goto bad;
 2731                         }
 2732                         ip = mtod(state->m, struct ip *);
 2733 
 2734                         state->ro = &isr->sav->sah->sa_route;
 2735                         state->dst = (struct sockaddr *)&state->ro->ro_dst;
 2736                         dst4 = (struct sockaddr_in *)state->dst;
 2737                         if (state->ro->ro_rt
 2738                          && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
 2739                           || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) {
 2740                                 RTFREE(state->ro->ro_rt);
 2741                                 bzero((caddr_t)state->ro, sizeof (*state->ro));
 2742                         }
 2743                         if (state->ro->ro_rt == 0) {
 2744                                 dst4->sin_family = AF_INET;
 2745                                 dst4->sin_len = sizeof(*dst4);
 2746                                 dst4->sin_addr = ip->ip_dst;
 2747                                 rtalloc(state->ro);
 2748                         }
 2749                         if (state->ro->ro_rt == 0) {
 2750                                 ipstat.ips_noroute++;
 2751                                 error = EHOSTUNREACH;
 2752                                 goto bad;
 2753                         }
 2754 
 2755                         /* adjust state->dst if tunnel endpoint is offlink */
 2756                         if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
 2757                                 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
 2758                                 dst4 = (struct sockaddr_in *)state->dst;
 2759                         }
 2760 
 2761                         state->encap++;
 2762                 } else
 2763                         splx(s);
 2764 
 2765                 state->m = ipsec4_splithdr(state->m);
 2766                 if (!state->m) {
 2767                         error = ENOMEM;
 2768                         goto bad;
 2769                 }
 2770                 switch (isr->saidx.proto) {
 2771                 case IPPROTO_ESP:
 2772 #ifdef IPSEC_ESP
 2773                         if ((error = esp4_output(state->m, isr)) != 0) {
 2774                                 state->m = NULL;
 2775                                 goto bad;
 2776                         }
 2777                         break;
 2778 #else
 2779                         m_freem(state->m);
 2780                         state->m = NULL;
 2781                         error = EINVAL;
 2782                         goto bad;
 2783 #endif
 2784                 case IPPROTO_AH:
 2785                         if ((error = ah4_output(state->m, isr)) != 0) {
 2786                                 state->m = NULL;
 2787                                 goto bad;
 2788                         }
 2789                         break;
 2790                 case IPPROTO_IPCOMP:
 2791                         if ((error = ipcomp4_output(state->m, isr)) != 0) {
 2792                                 state->m = NULL;
 2793                                 goto bad;
 2794                         }
 2795                         break;
 2796                 case IPPROTO_IPV4:
 2797                         break;
 2798                 case IPPROTO_IPV6:
 2799                         ipseclog((LOG_ERR, "ipsec4_output: "
 2800                             "family mismatched between inner and outer "
 2801                             "header\n"));
 2802                         error = EAFNOSUPPORT;
 2803                         goto bad;
 2804                 default:
 2805                         ipseclog((LOG_ERR,
 2806                             "ipsec4_output: unknown ipsec protocol %d\n",
 2807                             isr->saidx.proto));
 2808                         m_freem(state->m);
 2809                         state->m = NULL;
 2810                         error = EINVAL;
 2811                         goto bad;
 2812                 }
 2813 
 2814                 if (state->m == 0) {
 2815                         error = ENOMEM;
 2816                         goto bad;
 2817                 }
 2818                 ip = mtod(state->m, struct ip *);
 2819         }
 2820 
 2821         return 0;
 2822 
 2823 bad:
 2824         m_freem(state->m);
 2825         state->m = NULL;
 2826         return error;
 2827 }
 2828 #endif
 2829 
 2830 #ifdef INET6
 2831 static int
 2832 ipsec6_checksa(isr, state, tunnel)
 2833         struct ipsecrequest *isr;
 2834         struct ipsec_output_state *state;
 2835         int tunnel;
 2836 {
 2837         struct ip6_hdr *ip6;
 2838         struct secasindex saidx;
 2839         struct sockaddr_in6 *sin6;
 2840 
 2841         if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
 2842 #ifdef DIAGNOSTIC
 2843                 if (!tunnel)
 2844                         panic("ipsec6_checksa/inconsistent tunnel attribute");
 2845 #endif
 2846                 /* When tunnel mode, SA peers must be specified. */
 2847                 return key_checkrequest(isr, &isr->saidx);
 2848         }
 2849 
 2850         /* make SA index for search proper SA */
 2851         ip6 = mtod(state->m, struct ip6_hdr *);
 2852         if (tunnel) {
 2853                 bzero(&saidx, sizeof(saidx));
 2854                 saidx.proto = isr->saidx.proto;
 2855         } else
 2856                 bcopy(&isr->saidx, &saidx, sizeof(saidx));
 2857         saidx.mode = isr->saidx.mode;
 2858         saidx.reqid = isr->saidx.reqid;
 2859         sin6 = (struct sockaddr_in6 *)&saidx.src;
 2860         if (sin6->sin6_len == 0 || tunnel) {
 2861                 bzero(sin6, sizeof(*sin6));
 2862                 sin6->sin6_len = sizeof(*sin6);
 2863                 sin6->sin6_family = AF_INET6;
 2864                 sin6->sin6_port = IPSEC_PORT_ANY;
 2865                 sin6->sin6_addr = ip6->ip6_src;
 2866         }
 2867         sin6 = (struct sockaddr_in6 *)&saidx.dst;
 2868         if (sin6->sin6_len == 0 || tunnel) {
 2869                 bzero(sin6, sizeof(*sin6));
 2870                 sin6->sin6_len = sizeof(*sin6);
 2871                 sin6->sin6_family = AF_INET6;
 2872                 sin6->sin6_port = IPSEC_PORT_ANY;
 2873                 sin6->sin6_addr = ip6->ip6_dst;
 2874         }
 2875 
 2876         return key_checkrequest(isr, &saidx);
 2877 }
 2878 /*
 2879  * IPsec output logic for IPv6, transport mode.
 2880  */
 2881 int
 2882 ipsec6_output_trans(struct ipsec_output_state *state, u_char *nexthdrp,
 2883     struct mbuf *mprev, struct secpolicy *sp, int flags, int *tun)
 2884 {
 2885         struct ip6_hdr *ip6;
 2886         struct ipsecrequest *isr = NULL;
 2887         int error = 0;
 2888         int plen;
 2889 
 2890         if (!state)
 2891                 panic("state == NULL in ipsec6_output_trans");
 2892         if (!state->m)
 2893                 panic("state->m == NULL in ipsec6_output_trans");
 2894         if (!nexthdrp)
 2895                 panic("nexthdrp == NULL in ipsec6_output_trans");
 2896         if (!mprev)
 2897                 panic("mprev == NULL in ipsec6_output_trans");
 2898         if (!sp)
 2899                 panic("sp == NULL in ipsec6_output_trans");
 2900         if (!tun)
 2901                 panic("tun == NULL in ipsec6_output_trans");
 2902 
 2903         KEYDEBUG(KEYDEBUG_IPSEC_DATA,
 2904                 printf("ipsec6_output_trans: applyed SP\n");
 2905                 kdebug_secpolicy(sp));
 2906 
 2907         *tun = 0;
 2908         for (isr = sp->req; isr; isr = isr->next) {
 2909                 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
 2910                         /* the rest will be handled by ipsec6_output_tunnel() */
 2911                         break;
 2912                 }
 2913 
 2914                 error = ipsec6_checksa(isr, state, 0);
 2915                 if (error == ENOENT) {
 2916                         /*
 2917                          * IPsec processing is required, but no SA found.
 2918                          * I assume that key_acquire() had been called
 2919                          * to get/establish the SA. Here I discard
 2920                          * this packet because it is responsibility for
 2921                          * upper layer to retransmit the packet.
 2922                          */
 2923                         ipsec6stat.out_nosa++;
 2924 
 2925                         /*
 2926                          * Notify the fact that the packet is discarded
 2927                          * to ourselves. I believe this is better than
 2928                          * just silently discarding. (jinmei@kame.net)
 2929                          * XXX: should we restrict the error to TCP packets?
 2930                          * XXX: should we directly notify sockets via
 2931                          *      pfctlinputs?
 2932                          *
 2933                          * Noone have initialized rcvif until this point,
 2934                          * so clear it.
 2935                          */
 2936                         if ((state->m->m_flags & M_PKTHDR) != 0)
 2937                                 state->m->m_pkthdr.rcvif = NULL;
 2938                         icmp6_error(state->m, ICMP6_DST_UNREACH,
 2939                                     ICMP6_DST_UNREACH_ADMIN, 0);
 2940                         state->m = NULL; /* icmp6_error freed the mbuf */
 2941                         goto bad;
 2942                 }
 2943 
 2944                 /* validity check */
 2945                 if (isr->sav == NULL) {
 2946                         switch (ipsec_get_reqlevel(isr, AF_INET6)) {
 2947                         case IPSEC_LEVEL_USE:
 2948                                 continue;
 2949                         case IPSEC_LEVEL_REQUIRE:
 2950                                 /* must be not reached here. */
 2951                                 panic("ipsec6_output_trans: no SA found, but required.");
 2952                         }
 2953                 }
 2954 
 2955                 /*
 2956                  * If there is no valid SA, we give up to process.
 2957                  * see same place at ipsec4_output().
 2958                  */
 2959                 if (isr->sav->state != SADB_SASTATE_MATURE
 2960                  && isr->sav->state != SADB_SASTATE_DYING) {
 2961                         ipsec6stat.out_nosa++;
 2962                         error = EINVAL;
 2963                         goto bad;
 2964                 }
 2965 
 2966                 switch (isr->saidx.proto) {
 2967                 case IPPROTO_ESP:
 2968 #ifdef IPSEC_ESP
 2969                         error = esp6_output(state->m, nexthdrp, mprev->m_next, isr);
 2970 #else
 2971                         m_freem(state->m);
 2972                         error = EINVAL;
 2973 #endif
 2974                         break;
 2975                 case IPPROTO_AH:
 2976                         error = ah6_output(state->m, nexthdrp, mprev->m_next, isr);
 2977                         break;
 2978                 case IPPROTO_IPCOMP:
 2979                         error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr);
 2980                         break;
 2981                 default:
 2982                         ipseclog((LOG_ERR, "ipsec6_output_trans: "
 2983                             "unknown ipsec protocol %d\n", isr->saidx.proto));
 2984                         m_freem(state->m);
 2985                         ipsec6stat.out_inval++;
 2986                         error = EINVAL;
 2987                         break;
 2988                 }
 2989                 if (error) {
 2990                         state->m = NULL;
 2991                         goto bad;
 2992                 }
 2993                 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
 2994                 if (plen > IPV6_MAXPACKET) {
 2995                         ipseclog((LOG_ERR, "ipsec6_output_trans: "
 2996                             "IPsec with IPv6 jumbogram is not supported\n"));
 2997                         ipsec6stat.out_inval++;
 2998                         error = EINVAL; /* XXX */
 2999                         goto bad;
 3000                 }
 3001                 ip6 = mtod(state->m, struct ip6_hdr *);
 3002                 ip6->ip6_plen = htons(plen);
 3003         }
 3004 
 3005         /* if we have more to go, we need a tunnel mode processing */
 3006         if (isr != NULL)
 3007                 *tun = 1;
 3008 
 3009         return 0;
 3010 
 3011 bad:
 3012         m_freem(state->m);
 3013         state->m = NULL;
 3014         return error;
 3015 }
 3016 
 3017 /*
 3018  * IPsec output logic for IPv6, tunnel mode.
 3019  */
 3020 int
 3021 ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp,
 3022     int flags)
 3023 {
 3024         struct ip6_hdr *ip6;
 3025         struct ipsecrequest *isr = NULL;
 3026         int error = 0;
 3027         int plen;
 3028         struct sockaddr_in6* dst6;
 3029         int s;
 3030 
 3031         if (!state)
 3032                 panic("state == NULL in ipsec6_output_tunnel");
 3033         if (!state->m)
 3034                 panic("state->m == NULL in ipsec6_output_tunnel");
 3035         if (!sp)
 3036                 panic("sp == NULL in ipsec6_output_tunnel");
 3037 
 3038         KEYDEBUG(KEYDEBUG_IPSEC_DATA,
 3039                 printf("ipsec6_output_tunnel: applyed SP\n");
 3040                 kdebug_secpolicy(sp));
 3041 
 3042         /*
 3043          * transport mode ipsec (before the 1st tunnel mode) is already
 3044          * processed by ipsec6_output_trans().
 3045          */
 3046         for (isr = sp->req; isr; isr = isr->next) {
 3047                 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
 3048                         break;
 3049         }
 3050 
 3051         for (/* already initialized */; isr; isr = isr->next) {
 3052                 error = ipsec6_checksa(isr, state, 1);
 3053                 if (error == ENOENT) {
 3054                         /*
 3055                          * IPsec processing is required, but no SA found.
 3056                          * I assume that key_acquire() had been called
 3057                          * to get/establish the SA. Here I discard
 3058                          * this packet because it is responsibility for
 3059                          * upper layer to retransmit the packet.
 3060                          */
 3061                         ipsec6stat.out_nosa++;
 3062                         error = ENOENT;
 3063                         goto bad;
 3064                 }
 3065 
 3066                 /* validity check */
 3067                 if (isr->sav == NULL) {
 3068                         switch (ipsec_get_reqlevel(isr, AF_INET6)) {
 3069                         case IPSEC_LEVEL_USE:
 3070                                 continue;
 3071                         case IPSEC_LEVEL_REQUIRE:
 3072                                 /* must be not reached here. */
 3073                                 panic("ipsec6_output_tunnel: no SA found, but required.");
 3074                         }
 3075                 }
 3076 
 3077                 /*
 3078                  * If there is no valid SA, we give up to process.
 3079                  * see same place at ipsec4_output().
 3080                  */
 3081                 if (isr->sav->state != SADB_SASTATE_MATURE
 3082                  && isr->sav->state != SADB_SASTATE_DYING) {
 3083                         ipsec6stat.out_nosa++;
 3084                         error = EINVAL;
 3085                         goto bad;
 3086                 }
 3087 
 3088                 /*
 3089                  * There may be the case that SA status will be changed when
 3090                  * we are refering to one. So calling splsoftnet().
 3091                  */
 3092                 s = splsoftnet();
 3093 
 3094                 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
 3095                         /*
 3096                          * build IPsec tunnel.
 3097                          */
 3098                         /* XXX should be processed with other familiy */
 3099                         if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) {
 3100                                 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
 3101                                     "family mismatched between inner and outer, spi=%u\n",
 3102                                     (u_int32_t)ntohl(isr->sav->spi)));
 3103                                 splx(s);
 3104                                 ipsec6stat.out_inval++;
 3105                                 error = EAFNOSUPPORT;
 3106                                 goto bad;
 3107                         }
 3108 
 3109                         state->m = ipsec6_splithdr(state->m);
 3110                         if (!state->m) {
 3111                                 splx(s);
 3112                                 ipsec6stat.out_nomem++;
 3113                                 error = ENOMEM;
 3114                                 goto bad;
 3115                         }
 3116                         error = ipsec6_encapsulate(state->m, isr->sav);
 3117                         splx(s);
 3118                         if (error) {
 3119                                 state->m = 0;
 3120                                 goto bad;
 3121                         }
 3122                         ip6 = mtod(state->m, struct ip6_hdr *);
 3123 
 3124                         state->ro = &isr->sav->sah->sa_route;
 3125                         state->dst = (struct sockaddr *)&state->ro->ro_dst;
 3126                         dst6 = (struct sockaddr_in6 *)state->dst;
 3127                         if (state->ro->ro_rt
 3128                          && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
 3129                           || !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst))) {
 3130                                 RTFREE(state->ro->ro_rt);
 3131                                 bzero((caddr_t)state->ro, sizeof (*state->ro));
 3132                         }
 3133                         if (state->ro->ro_rt == 0) {
 3134                                 bzero(dst6, sizeof(*dst6));
 3135                                 dst6->sin6_family = AF_INET6;
 3136                                 dst6->sin6_len = sizeof(*dst6);
 3137                                 dst6->sin6_addr = ip6->ip6_dst;
 3138                                 rtalloc(state->ro);
 3139                         }
 3140                         if (state->ro->ro_rt == 0) {
 3141                                 ip6stat.ip6s_noroute++;
 3142                                 ipsec6stat.out_noroute++;
 3143                                 error = EHOSTUNREACH;
 3144                                 goto bad;
 3145                         }
 3146 
 3147                         /* adjust state->dst if tunnel endpoint is offlink */
 3148                         if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
 3149                                 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
 3150                                 dst6 = (struct sockaddr_in6 *)state->dst;
 3151                         }
 3152                 } else
 3153                         splx(s);
 3154 
 3155                 state->m = ipsec6_splithdr(state->m);
 3156                 if (!state->m) {
 3157                         ipsec6stat.out_nomem++;
 3158                         error = ENOMEM;
 3159                         goto bad;
 3160                 }
 3161                 ip6 = mtod(state->m, struct ip6_hdr *);
 3162                 switch (isr->saidx.proto) {
 3163                 case IPPROTO_ESP:
 3164 #ifdef IPSEC_ESP
 3165                         error = esp6_output(state->m, &ip6->ip6_nxt,
 3166                                             state->m->m_next, isr);
 3167 #else
 3168                         m_freem(state->m);
 3169                         error = EINVAL;
 3170 #endif
 3171                         break;
 3172                 case IPPROTO_AH:
 3173                         error = ah6_output(state->m, &ip6->ip6_nxt,
 3174                                            state->m->m_next, isr);
 3175                         break;
 3176                 case IPPROTO_IPCOMP:
 3177                         /* XXX code should be here */
 3178                         /* FALLTHROUGH */
 3179                 default:
 3180                         ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
 3181                             "unknown ipsec protocol %d\n", isr->saidx.proto));
 3182                         m_freem(state->m);
 3183                         ipsec6stat.out_inval++;
 3184                         error = EINVAL;
 3185                         break;
 3186                 }
 3187                 if (error) {
 3188                         state->m = NULL;
 3189                         goto bad;
 3190                 }
 3191                 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
 3192                 if (plen > IPV6_MAXPACKET) {
 3193                         ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
 3194                             "IPsec with IPv6 jumbogram is not supported\n"));
 3195                         ipsec6stat.out_inval++;
 3196                         error = EINVAL; /* XXX */
 3197                         goto bad;
 3198                 }
 3199                 ip6 = mtod(state->m, struct ip6_hdr *);
 3200                 ip6->ip6_plen = htons(plen);
 3201         }
 3202 
 3203         return 0;
 3204 
 3205 bad:
 3206         m_freem(state->m);
 3207         state->m = NULL;
 3208         return error;
 3209 }
 3210 #endif /* INET6 */
 3211 
 3212 #ifdef INET
 3213 /*
 3214  * Chop IP header and option off from the payload.
 3215  */
 3216 static struct mbuf *
 3217 ipsec4_splithdr(m)
 3218         struct mbuf *m;
 3219 {
 3220         struct mbuf *mh;
 3221         struct ip *ip;
 3222         int hlen;
 3223 
 3224         if (m->m_len < sizeof(struct ip)) {
 3225                 /* XXX Print and drop until we understand. */
 3226                 printf("ipsec4_splithdr: m->m_len %d m_length %d < %zu\n",
 3227                        m->m_len, m_length(m), sizeof(struct ip));
 3228                 m_freem(m);
 3229                 return NULL;
 3230 #if 0
 3231                 panic("ipsec4_splithdr: first mbuf too short");
 3232 #endif
 3233         }
 3234         ip = mtod(m, struct ip *);
 3235         hlen = ip->ip_hl << 2;
 3236         if (m->m_len > hlen) {
 3237                 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
 3238                 if (!mh) {
 3239                         m_freem(m);
 3240                         return NULL;
 3241                 }
 3242                 M_MOVE_PKTHDR(mh, m);
 3243                 MH_ALIGN(mh, hlen);
 3244                 m->m_len -= hlen;
 3245                 m->m_data += hlen;
 3246                 mh->m_next = m;
 3247                 m = mh;
 3248                 m->m_len = hlen;
 3249                 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen);
 3250         } else if (m->m_len < hlen) {
 3251                 m = m_pullup(m, hlen);
 3252                 if (!m)
 3253                         return NULL;
 3254         }
 3255         return m;
 3256 }
 3257 #endif
 3258 
 3259 #ifdef INET6
 3260 static struct mbuf *
 3261 ipsec6_splithdr(m)
 3262         struct mbuf *m;
 3263 {
 3264         struct mbuf *mh;
 3265         struct ip6_hdr *ip6;
 3266         int hlen;
 3267 
 3268         if (m->m_len < sizeof(struct ip6_hdr))
 3269                 panic("ipsec6_splithdr: first mbuf too short");
 3270         ip6 = mtod(m, struct ip6_hdr *);
 3271         hlen = sizeof(struct ip6_hdr);
 3272         if (m->m_len > hlen) {
 3273                 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
 3274                 if (!mh) {
 3275                         m_freem(m);
 3276                         return NULL;
 3277                 }
 3278                 M_MOVE_PKTHDR(mh, m);
 3279                 MH_ALIGN(mh, hlen);
 3280                 m->m_len -= hlen;
 3281                 m->m_data += hlen;
 3282                 mh->m_next = m;
 3283                 m = mh;
 3284                 m->m_len = hlen;
 3285                 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
 3286         } else if (m->m_len < hlen) {
 3287                 m = m_pullup(m, hlen);
 3288                 if (!m)
 3289                         return NULL;
 3290         }
 3291         return m;
 3292 }
 3293 #endif
 3294 
 3295 /* validate inbound IPsec tunnel packet. */
 3296 int
 3297 ipsec4_tunnel_validate(ip, nxt0, sav)
 3298         struct ip *ip;
 3299         u_int nxt0;
 3300         struct secasvar *sav;
 3301 {
 3302         u_int8_t nxt = nxt0 & 0xff;
 3303         struct sockaddr_in *sin;
 3304         int hlen;
 3305 
 3306         if (nxt != IPPROTO_IPV4)
 3307                 return 0;
 3308         /* do not decapsulate if the SA is for transport mode only */
 3309         if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
 3310                 return 0;
 3311         hlen = ip->ip_hl << 2;
 3312         if (hlen != sizeof(struct ip))
 3313                 return 0;
 3314         switch (((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) {
 3315         case AF_INET:
 3316                 sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
 3317                 if (bcmp(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst)) != 0)
 3318                         return 0;
 3319                 break;
 3320 #ifdef INET6
 3321         case AF_INET6:
 3322                 /* should be supported, but at this moment we don't. */
 3323                 /*FALLTHROUGH*/
 3324 #endif
 3325         default:
 3326                 return 0;
 3327         }
 3328 
 3329         return 1;
 3330 }
 3331 
 3332 #ifdef INET6
 3333 /* validate inbound IPsec tunnel packet. */
 3334 int
 3335 ipsec6_tunnel_validate(ip6, nxt0, sav)
 3336         struct ip6_hdr *ip6;
 3337         u_int nxt0;
 3338         struct secasvar *sav;
 3339 {
 3340         u_int8_t nxt = nxt0 & 0xff;
 3341         struct sockaddr_in6 sin6;
 3342 
 3343         if (nxt != IPPROTO_IPV6)
 3344                 return 0;
 3345         /* do not decapsulate if the SA is for transport mode only */
 3346         if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
 3347                 return 0;
 3348         switch (((struct sockaddr *)&sav->sah->saidx.dst)->sa_family) {
 3349         case AF_INET6:
 3350                 sin6 = *((struct sockaddr_in6 *)&sav->sah->saidx.dst);
 3351                 if (sa6_embedscope(&sin6, 0) != 0)
 3352                         return 0;
 3353                 if (!IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &sin6.sin6_addr))
 3354                         return 0;
 3355                 break;
 3356         case AF_INET:
 3357                 /* should be supported, but at this moment we don't. */
 3358                 /*FALLTHROUGH*/
 3359         default:
 3360                 return 0;
 3361         }
 3362 
 3363         return 1;
 3364 }
 3365 #endif
 3366 
 3367 /*
 3368  * Make a mbuf chain for encryption.
 3369  * If the original mbuf chain contains a mbuf with a cluster,
 3370  * allocate a new cluster and copy the data to the new cluster.
 3371  * XXX: this hack is inefficient, but is necessary to handle cases
 3372  * of TCP retransmission...
 3373  */
 3374 struct mbuf *
 3375 ipsec_copypkt(m)
 3376         struct mbuf *m;
 3377 {
 3378         struct mbuf *n, **mpp, *mnew;
 3379 
 3380         for (n = m, mpp = &m; n; n = n->m_next) {
 3381                 if (n->m_flags & M_EXT) {
 3382                         /*
 3383                          * Make a copy only if there is more than one
 3384                          * references to the cluster.
 3385                          * XXX: is this approach effective?
 3386                          */
 3387                         if (M_READONLY(n))
 3388                         {
 3389                                 int remain, copied;
 3390                                 struct mbuf *mm;
 3391 
 3392                                 if (n->m_flags & M_PKTHDR) {
 3393                                         MGETHDR(mnew, M_DONTWAIT, MT_HEADER);
 3394                                         if (mnew == NULL)
 3395                                                 goto fail;
 3396                                         mnew->m_pkthdr = n->m_pkthdr;
 3397 #if 0
 3398                                         /* XXX: convert to m_tag or delete? */
 3399                                         if (n->m_pkthdr.aux) {
 3400                                                 mnew->m_pkthdr.aux =
 3401                                                     m_copym(n->m_pkthdr.aux,
 3402                                                     0, M_COPYALL, M_DONTWAIT);
 3403                                         }
 3404 #endif
 3405                                         M_MOVE_PKTHDR(mnew, n);
 3406                                 }
 3407                                 else {
 3408                                         MGET(mnew, M_DONTWAIT, MT_DATA);
 3409                                         if (mnew == NULL)
 3410                                                 goto fail;
 3411                                 }
 3412                                 mnew->m_len = 0;
 3413                                 mm = mnew;
 3414 
 3415                                 /*
 3416                                  * Copy data. If we don't have enough space to
 3417                                  * store the whole data, allocate a cluster
 3418                                  * or additional mbufs.
 3419                                  * XXX: we don't use m_copyback(), since the
 3420                                  * function does not use clusters and thus is
 3421                                  * inefficient.
 3422                                  */
 3423                                 remain = n->m_len;
 3424                                 copied = 0;
 3425                                 while (1) {
 3426                                         int len;
 3427                                         struct mbuf *mn;
 3428 
 3429                                         if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN))
 3430                                                 len = remain;
 3431                                         else { /* allocate a cluster */
 3432                                                 MCLGET(mm, M_DONTWAIT);
 3433                                                 if (!(mm->m_flags & M_EXT)) {
 3434                                                         m_free(mm);
 3435                                                         goto fail;
 3436                                                 }
 3437                                                 len = remain < MCLBYTES ?
 3438                                                         remain : MCLBYTES;
 3439                                         }
 3440 
 3441                                         bcopy(n->m_data + copied, mm->m_data,
 3442                                               len);
 3443 
 3444                                         copied += len;
 3445                                         remain -= len;
 3446                                         mm->m_len = len;
 3447 
 3448                                         if (remain <= 0) /* completed? */
 3449                                                 break;
 3450 
 3451                                         /* need another mbuf */
 3452                                         MGETHDR(mn, M_DONTWAIT, MT_HEADER);
 3453                                         if (mn == NULL)
 3454                                                 goto fail;
 3455                                         mn->m_pkthdr.rcvif = NULL;
 3456                                         mm->m_next = mn;
 3457                                         mm = mn;
 3458                                 }
 3459 
 3460                                 /* adjust chain */
 3461                                 mm->m_next = m_free(n);
 3462                                 n = mm;
 3463                                 *mpp = mnew;
 3464                                 mpp = &n->m_next;
 3465 
 3466                                 continue;
 3467                         }
 3468                 }
 3469                 *mpp = n;
 3470                 mpp = &n->m_next;
 3471         }
 3472 
 3473         return (m);
 3474   fail:
 3475         m_freem(m);
 3476         return (NULL);
 3477 }
 3478 
 3479 static struct m_tag *
 3480 ipsec_addaux(m)
 3481         struct mbuf *m;
 3482 {
 3483         struct m_tag *mtag;
 3484 
 3485         mtag = m_tag_find(m, PACKET_TAG_ESP, NULL);
 3486         if (mtag == NULL) {
 3487                 mtag = m_tag_get(PACKET_TAG_ESP, sizeof(struct ipsecaux),
 3488                     M_NOWAIT);
 3489                 if (mtag != NULL)
 3490                         m_tag_prepend(m, mtag);
 3491         }
 3492         if (mtag == NULL)
 3493                 return NULL;    /* ENOBUFS */
 3494         /* XXX is this necessary? */
 3495         bzero((void *)(mtag + 1), sizeof(struct ipsecaux));
 3496         return mtag;
 3497 }
 3498 
 3499 static struct m_tag *
 3500 ipsec_findaux(m)
 3501         struct mbuf *m;
 3502 {
 3503         return m_tag_find(m, PACKET_TAG_ESP, NULL);
 3504 }
 3505 
 3506 void
 3507 ipsec_delaux(m)
 3508         struct mbuf *m;
 3509 {
 3510         struct m_tag *mtag;
 3511 
 3512         mtag = m_tag_find(m, PACKET_TAG_ESP, NULL);
 3513         if (mtag != NULL)
 3514                 m_tag_delete(m, mtag);
 3515 }
 3516 
 3517 /* if the aux buffer is unnecessary, nuke it. */
 3518 static void
 3519 ipsec_optaux(m, mtag)
 3520         struct mbuf *m;
 3521         struct m_tag *mtag;
 3522 {
 3523         struct ipsecaux *aux;
 3524 
 3525         if (mtag == NULL)
 3526                 return;
 3527         aux = (struct ipsecaux *)(mtag + 1);
 3528         if (!aux->so && !aux->sp)
 3529                 ipsec_delaux(m);
 3530 }
 3531 
 3532 int
 3533 ipsec_addhist(struct mbuf *m, int proto, u_int32_t spi)
 3534 {
 3535         struct m_tag *mtag;
 3536         struct ipsecaux *aux;
 3537 
 3538         mtag = ipsec_addaux(m);
 3539         if (mtag == NULL)
 3540                 return ENOBUFS;
 3541         aux = (struct ipsecaux *)(mtag + 1);
 3542         aux->hdrs++;
 3543         return 0;
 3544 }
 3545 
 3546 int
 3547 ipsec_getnhist(m)
 3548         struct mbuf *m;
 3549 {
 3550         struct m_tag *mtag;
 3551         struct ipsecaux *aux;
 3552 
 3553         mtag = ipsec_findaux(m);
 3554         if (mtag == NULL)
 3555                 return 0;
 3556         aux = (struct ipsecaux *)(mtag + 1);
 3557         return aux->hdrs;
 3558 }
 3559 
 3560 struct ipsec_history *
 3561 ipsec_gethist(struct mbuf *m, int *lenp)
 3562 {
 3563 
 3564         panic("ipsec_gethist: obsolete API");
 3565 }
 3566 
 3567 void
 3568 ipsec_clearhist(m)
 3569         struct mbuf *m;
 3570 {
 3571         struct m_tag *mtag;
 3572 
 3573         mtag = ipsec_findaux(m);
 3574         ipsec_optaux(m, mtag);
 3575 }
 3576 
 3577 /*
 3578  * System control for IPSEC
 3579  */
 3580 u_char  ipsecctlermap[PRC_NCMDS] = {
 3581         0,              0,              0,              0,
 3582         0,              EMSGSIZE,       EHOSTDOWN,      EHOSTUNREACH,
 3583         EHOSTUNREACH,   EHOSTUNREACH,   ECONNREFUSED,   ECONNREFUSED,
 3584         EMSGSIZE,       EHOSTUNREACH,   0,              0,
 3585         0,              0,              0,              0,
 3586         ENOPROTOOPT
 3587 };
 3588 
 3589 /*
 3590  * sysctl helper routine for some net.inet.ipsec and net.inet6.ipnet6
 3591  * nodes.  ensures that the given value is correct and clears the
 3592  * ipsec cache accordingly.
 3593  */
 3594 static int
 3595 sysctl_ipsec(SYSCTLFN_ARGS)
 3596 {
 3597         int error, t;
 3598         struct sysctlnode node;
 3599 
 3600         node = *rnode;
 3601         if (rnode->sysctl_num == IPSECCTL_DEF_POLICY)
 3602                 t = (*((struct secpolicy**)rnode->sysctl_data))->policy;
 3603         else
 3604                 t = *(int*)rnode->sysctl_data;
 3605         node.sysctl_data = &t;
 3606         error = sysctl_lookup(SYSCTLFN_CALL(&node));
 3607         if (error || newp == NULL)
 3608                 return (error);
 3609 
 3610         switch (rnode->sysctl_num) {
 3611         case IPSECCTL_DEF_ESP_TRANSLEV:
 3612         case IPSECCTL_DEF_ESP_NETLEV:
 3613         case IPSECCTL_DEF_AH_TRANSLEV:
 3614         case IPSECCTL_DEF_AH_NETLEV:
 3615                 if (t != IPSEC_LEVEL_USE &&
 3616                     t != IPSEC_LEVEL_REQUIRE)
 3617                         return (EINVAL);
 3618                 ipsec_invalpcbcacheall();
 3619                 break;
 3620         case IPSECCTL_DEF_POLICY:
 3621                 if (t != IPSEC_POLICY_DISCARD &&
 3622                     t != IPSEC_POLICY_NONE)
 3623                         return (EINVAL);
 3624                 ipsec_invalpcbcacheall();
 3625                 break;
 3626         default:
 3627                 return (EINVAL);
 3628         }
 3629 
 3630         if (rnode->sysctl_num == IPSECCTL_DEF_POLICY)
 3631                 (*((struct secpolicy**)rnode->sysctl_data))->policy = t;
 3632         else
 3633                 *(int*)rnode->sysctl_data = t;
 3634 
 3635         return (0);
 3636 }
 3637 
 3638 SYSCTL_SETUP(sysctl_net_inet_ipsec_setup, "sysctl net.inet.ipsec subtree setup")
 3639 {
 3640 
 3641         sysctl_createv(clog, 0, NULL, NULL,
 3642                        CTLFLAG_PERMANENT,
 3643                        CTLTYPE_NODE, "net", NULL,
 3644                        NULL, 0, NULL, 0,
 3645                        CTL_NET, CTL_EOL);
 3646         sysctl_createv(clog, 0, NULL, NULL,
 3647                        CTLFLAG_PERMANENT,
 3648                        CTLTYPE_NODE, "inet", NULL,
 3649                        NULL, 0, NULL, 0,
 3650                        CTL_NET, PF_INET, CTL_EOL);
 3651         sysctl_createv(clog, 0, NULL, NULL,
 3652                        CTLFLAG_PERMANENT,
 3653                        CTLTYPE_NODE, "ipsec",
 3654                        SYSCTL_DESCR("IPv4 related IPSec settings"),
 3655                        NULL, 0, NULL, 0,
 3656                        CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL);
 3657 
 3658         sysctl_createv(clog, 0, NULL, NULL,
 3659                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3660                        CTLTYPE_STRUCT, "stats",
 3661                        SYSCTL_DESCR("IPSec statistics and counters"),
 3662                        NULL, 0, &ipsecstat, sizeof(ipsecstat),
 3663                        CTL_NET, PF_INET, IPPROTO_AH,
 3664                        IPSECCTL_STATS, CTL_EOL);
 3665         sysctl_createv(clog, 0, NULL, NULL,
 3666                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3667                        CTLTYPE_INT, "def_policy",
 3668                        SYSCTL_DESCR("Default action for non-IPSec packets"),
 3669                        sysctl_ipsec, 0, &ip4_def_policy, 0,
 3670                        CTL_NET, PF_INET, IPPROTO_AH,
 3671                        IPSECCTL_DEF_POLICY, CTL_EOL);
 3672         sysctl_createv(clog, 0, NULL, NULL,
 3673                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3674                        CTLTYPE_INT, "esp_trans_deflev",
 3675                        SYSCTL_DESCR("Default required security level for "
 3676                                     "transport mode traffic"),
 3677                        sysctl_ipsec, 0, &ip4_esp_trans_deflev, 0,
 3678                        CTL_NET, PF_INET, IPPROTO_AH,
 3679                        IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
 3680         sysctl_createv(clog, 0, NULL, NULL,
 3681                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3682                        CTLTYPE_INT, "esp_net_deflev",
 3683                        SYSCTL_DESCR("Default required security level for "
 3684                                     "tunneled traffic"),
 3685                        sysctl_ipsec, 0, &ip4_esp_net_deflev, 0,
 3686                        CTL_NET, PF_INET, IPPROTO_AH,
 3687                        IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
 3688         sysctl_createv(clog, 0, NULL, NULL,
 3689                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3690                        CTLTYPE_INT, "ah_trans_deflev",
 3691                        SYSCTL_DESCR("Default required security level for "
 3692                                     "transport mode headers"),
 3693                        sysctl_ipsec, 0, &ip4_ah_trans_deflev, 0,
 3694                        CTL_NET, PF_INET, IPPROTO_AH,
 3695                        IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
 3696         sysctl_createv(clog, 0, NULL, NULL,
 3697                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3698                        CTLTYPE_INT, "ah_net_deflev",
 3699                        SYSCTL_DESCR("Default required security level for "
 3700                                     "tunneled headers"),
 3701                        sysctl_ipsec, 0, &ip4_ah_net_deflev, 0,
 3702                        CTL_NET, PF_INET, IPPROTO_AH,
 3703                        IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
 3704 #if 0 /* obsolete, do not reuse */
 3705         sysctl_createv(clog, 0, NULL, NULL,
 3706                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3707                        CTLTYPE_INT, "inbound_call_ike", NULL,
 3708                        NULL, 0, &ip4_inbound_call_ike, 0,
 3709                        CTL_NET, PF_INET, IPPROTO_AH,
 3710                        IPSECCTL_INBOUND_CALL_IKE, CTL_EOL);
 3711 #endif
 3712         sysctl_createv(clog, 0, NULL, NULL,
 3713                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3714                        CTLTYPE_INT, "ah_cleartos",
 3715                        SYSCTL_DESCR("Clear IP TOS field before calculating AH"),
 3716                        NULL, 0, &ip4_ah_cleartos, 0,
 3717                        CTL_NET, PF_INET, IPPROTO_AH,
 3718                        IPSECCTL_AH_CLEARTOS, CTL_EOL);
 3719         sysctl_createv(clog, 0, NULL, NULL,
 3720                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3721                        CTLTYPE_INT, "ah_offsetmask",
 3722                        SYSCTL_DESCR("Mask for IP fragment offset field when "
 3723                                     "calculating AH"),
 3724                        NULL, 0, &ip4_ah_offsetmask, 0,
 3725                        CTL_NET, PF_INET, IPPROTO_AH,
 3726                        IPSECCTL_AH_OFFSETMASK, CTL_EOL);
 3727         sysctl_createv(clog, 0, NULL, NULL,
 3728                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3729                        CTLTYPE_INT, "dfbit",
 3730                        SYSCTL_DESCR("IP header DF bit setting for tunneled "
 3731                                     "traffic"),
 3732                        NULL, 0, &ip4_ipsec_dfbit, 0,
 3733                        CTL_NET, PF_INET, IPPROTO_AH,
 3734                        IPSECCTL_DFBIT, CTL_EOL);
 3735         sysctl_createv(clog, 0, NULL, NULL,
 3736                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3737                        CTLTYPE_INT, "ecn",
 3738                        SYSCTL_DESCR("Behavior of ECN for tunneled traffic"),
 3739                        NULL, 0, &ip4_ipsec_ecn, 0,
 3740                        CTL_NET, PF_INET, IPPROTO_AH,
 3741                        IPSECCTL_ECN, CTL_EOL);
 3742         sysctl_createv(clog, 0, NULL, NULL,
 3743                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3744                        CTLTYPE_INT, "debug",
 3745                        SYSCTL_DESCR("Enable IPSec debugging output"),
 3746                        NULL, 0, &ipsec_debug, 0,
 3747                        CTL_NET, PF_INET, IPPROTO_AH,
 3748                        IPSECCTL_DEBUG, CTL_EOL);
 3749 
 3750         /*
 3751          * "aliases" for the ipsec subtree
 3752          */
 3753         sysctl_createv(clog, 0, NULL, NULL,
 3754                        CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
 3755                        CTLTYPE_NODE, "esp", NULL,
 3756                        NULL, IPPROTO_AH, NULL, 0,
 3757                        CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL);
 3758         sysctl_createv(clog, 0, NULL, NULL,
 3759                        CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
 3760                        CTLTYPE_NODE, "ipcomp", NULL,
 3761                        NULL, IPPROTO_AH, NULL, 0,
 3762                        CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL);
 3763         sysctl_createv(clog, 0, NULL, NULL,
 3764                        CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
 3765                        CTLTYPE_NODE, "ah", NULL,
 3766                        NULL, IPPROTO_AH, NULL, 0,
 3767                        CTL_NET, PF_INET, CTL_CREATE, CTL_EOL);
 3768 }
 3769 
 3770 #ifdef INET6
 3771 /*
 3772  * System control for IPSEC6
 3773  */
 3774 u_char  ipsec6ctlermap[PRC_NCMDS] = {
 3775         0,              0,              0,              0,
 3776         0,              EMSGSIZE,       EHOSTDOWN,      EHOSTUNREACH,
 3777         EHOSTUNREACH,   EHOSTUNREACH,   ECONNREFUSED,   ECONNREFUSED,
 3778         EMSGSIZE,       EHOSTUNREACH,   0,              0,
 3779         0,              0,              0,              0,
 3780         ENOPROTOOPT
 3781 };
 3782 
 3783 SYSCTL_SETUP(sysctl_net_inet6_ipsec6_setup,
 3784              "sysctl net.inet6.ipsec6 subtree setup")
 3785 {
 3786 
 3787         sysctl_createv(clog, 0, NULL, NULL,
 3788                        CTLFLAG_PERMANENT,
 3789                        CTLTYPE_NODE, "net", NULL,
 3790                        NULL, 0, NULL, 0,
 3791                        CTL_NET, CTL_EOL);
 3792         sysctl_createv(clog, 0, NULL, NULL,
 3793                        CTLFLAG_PERMANENT,
 3794                        CTLTYPE_NODE, "inet6", NULL,
 3795                        NULL, 0, NULL, 0,
 3796                        CTL_NET, PF_INET6, CTL_EOL);
 3797         sysctl_createv(clog, 0, NULL, NULL,
 3798                        CTLFLAG_PERMANENT,
 3799                        CTLTYPE_NODE, "ipsec6",
 3800                        SYSCTL_DESCR("IPv6 related IPSec settings"),
 3801                        NULL, 0, NULL, 0,
 3802                        CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL);
 3803 
 3804         sysctl_createv(clog, 0, NULL, NULL,
 3805                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3806                        CTLTYPE_STRUCT, "stats",
 3807                        SYSCTL_DESCR("IPSec statistics and counters"),
 3808                        NULL, 0, &ipsec6stat, sizeof(ipsec6stat),
 3809                        CTL_NET, PF_INET6, IPPROTO_AH,
 3810                        IPSECCTL_STATS, CTL_EOL);
 3811         sysctl_createv(clog, 0, NULL, NULL,
 3812                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3813                        CTLTYPE_INT, "def_policy",
 3814                        SYSCTL_DESCR("Default action for non-IPSec packets"),
 3815                        sysctl_ipsec, 0, &ip6_def_policy, 0,
 3816                        CTL_NET, PF_INET6, IPPROTO_AH,
 3817                        IPSECCTL_DEF_POLICY, CTL_EOL);
 3818         sysctl_createv(clog, 0, NULL, NULL,
 3819                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3820                        CTLTYPE_INT, "esp_trans_deflev",
 3821                        SYSCTL_DESCR("Default required security level for "
 3822                                     "transport mode traffic"),
 3823                        sysctl_ipsec, 0, &ip6_esp_trans_deflev, 0,
 3824                        CTL_NET, PF_INET6, IPPROTO_AH,
 3825                        IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
 3826         sysctl_createv(clog, 0, NULL, NULL,
 3827                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3828                        CTLTYPE_INT, "esp_net_deflev",
 3829                        SYSCTL_DESCR("Default required security level for "
 3830                                     "tunneled traffic"),
 3831                        sysctl_ipsec, 0, &ip6_esp_net_deflev, 0,
 3832                        CTL_NET, PF_INET6, IPPROTO_AH,
 3833                        IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
 3834         sysctl_createv(clog, 0, NULL, NULL,
 3835                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3836                        CTLTYPE_INT, "ah_trans_deflev",
 3837                        SYSCTL_DESCR("Default required security level for "
 3838                                     "transport mode headers"),
 3839                        sysctl_ipsec, 0, &ip6_ah_trans_deflev, 0,
 3840                        CTL_NET, PF_INET6, IPPROTO_AH,
 3841                        IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
 3842         sysctl_createv(clog, 0, NULL, NULL,
 3843                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3844                        CTLTYPE_INT, "ah_net_deflev",
 3845                        SYSCTL_DESCR("Default required security level for "
 3846                                     "tunneled headers"),
 3847                        sysctl_ipsec, 0, &ip6_ah_net_deflev, 0,
 3848                        CTL_NET, PF_INET6, IPPROTO_AH,
 3849                        IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
 3850         sysctl_createv(clog, 0, NULL, NULL,
 3851                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3852                        CTLTYPE_INT, "ecn",
 3853                        SYSCTL_DESCR("Behavior of ECN for tunneled traffic"),
 3854                        NULL, 0, &ip6_ipsec_ecn, 0,
 3855                        CTL_NET, PF_INET6, IPPROTO_AH,
 3856                        IPSECCTL_ECN, CTL_EOL);
 3857         sysctl_createv(clog, 0, NULL, NULL,
 3858                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 3859                        CTLTYPE_INT, "debug",
 3860                        SYSCTL_DESCR("Enable IPSec debugging output"),
 3861                        NULL, 0, &ipsec_debug, 0,
 3862                        CTL_NET, PF_INET6, IPPROTO_AH,
 3863                        IPSECCTL_DEBUG, CTL_EOL);
 3864 
 3865         /*
 3866          * "aliases" for the ipsec6 subtree
 3867          */
 3868         sysctl_createv(clog, 0, NULL, NULL,
 3869                        CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
 3870                        CTLTYPE_NODE, "esp6", NULL,
 3871                        NULL, IPPROTO_AH, NULL, 0,
 3872                        CTL_NET, PF_INET6, IPPROTO_ESP, CTL_EOL);
 3873         sysctl_createv(clog, 0, NULL, NULL,
 3874                        CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
 3875                        CTLTYPE_NODE, "ipcomp6", NULL,
 3876                        NULL, IPPROTO_AH, NULL, 0,
 3877                        CTL_NET, PF_INET6, IPPROTO_IPCOMP, CTL_EOL);
 3878         sysctl_createv(clog, 0, NULL, NULL,
 3879                        CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
 3880                        CTLTYPE_NODE, "ah6", NULL,
 3881                        NULL, IPPROTO_AH, NULL, 0,
 3882                        CTL_NET, PF_INET6, CTL_CREATE, CTL_EOL);
 3883 }
 3884 #endif /* INET6 */

Cache object: e1fae83187ef2662e2e14da2264968c9


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.