1 /* $FreeBSD: src/sys/netinet6/ipsec.c,v 1.3.2.12 2003/05/06 06:46:58 suz Exp $ */
2 /* $DragonFly: src/sys/netinet6/ipsec.c,v 1.22 2008/05/27 01:10:43 dillon Exp $ */
3 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * IPsec controller part.
39 #include "opt_inet6.h"
40 #include "opt_ipsec.h"
42 #include <sys/param.h>
43 #include <sys/systm.h>
44 #include <sys/malloc.h>
46 #include <sys/domain.h>
47 #include <sys/protosw.h>
48 #include <sys/socket.h>
49 #include <sys/socketvar.h>
50 #include <sys/errno.h>
52 #include <sys/kernel.h>
53 #include <sys/syslog.h>
54 #include <sys/sysctl.h>
56 #include <sys/in_cksum.h>
57 #include <sys/thread2.h>
60 #include <net/route.h>
62 #include <netinet/in.h>
63 #include <netinet/in_systm.h>
64 #include <netinet/ip.h>
65 #include <netinet/ip_var.h>
66 #include <netinet/in_var.h>
67 #include <netinet/udp.h>
68 #include <netinet/udp_var.h>
69 #include <netinet/ip_ecn.h>
71 #include <netinet6/ip6_ecn.h>
73 #include <netinet/tcp.h>
74 #include <netinet/udp.h>
76 #include <netinet/ip6.h>
78 #include <netinet6/ip6_var.h>
80 #include <netinet/in_pcb.h>
82 #include <netinet/icmp6.h>
85 #include <netinet6/ipsec.h>
87 #include <netinet6/ipsec6.h>
89 #include <netinet6/ah.h>
91 #include <netinet6/ah6.h>
94 #include <netinet6/esp.h>
96 #include <netinet6/esp6.h>
99 #include <netinet6/ipcomp.h>
101 #include <netinet6/ipcomp6.h>
103 #include <netproto/key/key.h>
104 #include <netproto/key/keydb.h>
105 #include <netproto/key/key_debug.h>
107 #include <net/net_osdep.h>
115 struct ipsecstat ipsecstat;
116 int ip4_ah_cleartos = 1;
117 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
118 int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */
119 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
120 int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
121 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
122 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
123 struct secpolicy ip4_def_policy;
124 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
125 int ip4_esp_randpad = -1;
128 SYSCTL_DECL(_net_inet_ipsec);
130 SYSCTL_DECL(_net_inet6_ipsec6);
135 SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS,
136 stats, CTLFLAG_RD, &ipsecstat, ipsecstat, "");
137 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY,
138 def_policy, CTLFLAG_RW, &ip4_def_policy.policy, 0, "");
139 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
140 CTLFLAG_RW, &ip4_esp_trans_deflev, 0, "");
141 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
142 CTLFLAG_RW, &ip4_esp_net_deflev, 0, "");
143 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
144 CTLFLAG_RW, &ip4_ah_trans_deflev, 0, "");
145 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
146 CTLFLAG_RW, &ip4_ah_net_deflev, 0, "");
147 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
148 ah_cleartos, CTLFLAG_RW, &ip4_ah_cleartos, 0, "");
149 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
150 ah_offsetmask, CTLFLAG_RW, &ip4_ah_offsetmask, 0, "");
151 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT,
152 dfbit, CTLFLAG_RW, &ip4_ipsec_dfbit, 0, "");
153 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN,
154 ecn, CTLFLAG_RW, &ip4_ipsec_ecn, 0, "");
155 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG,
156 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
157 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD,
158 esp_randpad, CTLFLAG_RW, &ip4_esp_randpad, 0, "");
161 struct ipsecstat ipsec6stat;
162 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
163 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
164 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
165 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
166 struct secpolicy ip6_def_policy;
167 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
168 int ip6_esp_randpad = -1;
170 /* net.inet6.ipsec6 */
171 SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
172 stats, CTLFLAG_RD, &ipsec6stat, ipsecstat, "");
173 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
174 def_policy, CTLFLAG_RW, &ip6_def_policy.policy, 0, "");
175 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
176 CTLFLAG_RW, &ip6_esp_trans_deflev, 0, "");
177 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
178 CTLFLAG_RW, &ip6_esp_net_deflev, 0, "");
179 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
180 CTLFLAG_RW, &ip6_ah_trans_deflev, 0, "");
181 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
182 CTLFLAG_RW, &ip6_ah_net_deflev, 0, "");
183 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
184 ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0, "");
185 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG,
186 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
187 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
188 esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, "");
191 static int ipsec_setspidx_mbuf
192 (struct secpolicyindex *, u_int, u_int, struct mbuf *, int);
193 static int ipsec4_setspidx_inpcb (struct mbuf *, struct inpcb *pcb);
195 static int ipsec6_setspidx_in6pcb (struct mbuf *, struct in6pcb *pcb);
197 static int ipsec_setspidx (struct mbuf *, struct secpolicyindex *, int);
198 static void ipsec4_get_ulp (struct mbuf *m, struct secpolicyindex *, int);
199 static int ipsec4_setspidx_ipaddr (struct mbuf *, struct secpolicyindex *);
201 static void ipsec6_get_ulp (struct mbuf *m, struct secpolicyindex *, int);
202 static int ipsec6_setspidx_ipaddr (struct mbuf *, struct secpolicyindex *);
204 static struct inpcbpolicy *ipsec_newpcbpolicy (void);
205 static void ipsec_delpcbpolicy (struct inpcbpolicy *);
206 static struct secpolicy *ipsec_deepcopy_policy (struct secpolicy *src);
207 static int ipsec_set_policy (struct secpolicy **pcb_sp,
208 int optname, caddr_t request, size_t len, int priv);
209 static int ipsec_get_policy (struct secpolicy *pcb_sp, struct mbuf **mp);
210 static void vshiftl (unsigned char *, int, int);
211 static int ipsec_in_reject (struct secpolicy *, struct mbuf *);
212 static size_t ipsec_hdrsiz (struct secpolicy *);
214 static struct mbuf *ipsec4_splithdr (struct mbuf *);
217 static struct mbuf *ipsec6_splithdr (struct mbuf *);
220 static int ipsec4_encapsulate (struct mbuf *, struct secasvar *);
223 static int ipsec6_encapsulate (struct mbuf *, struct secasvar *);
227 * For OUTBOUND packet having a socket. Searching SPD for packet,
228 * and return a pointer to SP.
229 * OUT: NULL: no apropreate SP found, the following value is set to error.
231 * EACCES : discard packet.
232 * ENOENT : ipsec_acquire() in progress, maybe.
233 * others : error occured.
234 * others: a pointer to SP
236 * NOTE: IPv6 mapped adddress concern is implemented here.
239 ipsec4_getpolicybysock(struct mbuf *m, u_int dir, struct socket *so, int *error)
241 struct inpcbpolicy *pcbsp = NULL;
242 struct secpolicy *currsp = NULL; /* policy on socket */
243 struct secpolicy *kernsp = NULL; /* policy on kernel */
246 if (m == NULL || so == NULL || error == NULL)
247 panic("ipsec4_getpolicybysock: NULL pointer was passed.");
249 switch (so->so_proto->pr_domain->dom_family) {
251 /* set spidx in pcb */
252 *error = ipsec4_setspidx_inpcb(m, so->so_pcb);
256 /* set spidx in pcb */
257 *error = ipsec6_setspidx_in6pcb(m, so->so_pcb);
261 panic("ipsec4_getpolicybysock: unsupported address family\n");
265 switch (so->so_proto->pr_domain->dom_family) {
267 pcbsp = sotoinpcb(so)->inp_sp;
271 pcbsp = sotoin6pcb(so)->in6p_sp;
278 panic("ipsec4_getpolicybysock: pcbsp is NULL.");
281 case IPSEC_DIR_INBOUND:
282 currsp = pcbsp->sp_in;
284 case IPSEC_DIR_OUTBOUND:
285 currsp = pcbsp->sp_out;
288 panic("ipsec4_getpolicybysock: illegal direction.");
293 panic("ipsec4_getpolicybysock: currsp is NULL.");
295 lwkt_gettoken(&key_token);
297 /* when privilieged socket */
299 switch (currsp->policy) {
300 case IPSEC_POLICY_BYPASS:
303 lwkt_reltoken(&key_token);
306 case IPSEC_POLICY_ENTRUST:
307 /* look for a policy in SPD */
308 kernsp = key_allocsp(&currsp->spidx, dir);
311 if (kernsp != NULL) {
312 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
313 kprintf("DP ipsec4_getpolicybysock called "
314 "to allocate SP:%p\n", kernsp));
316 lwkt_reltoken(&key_token);
321 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
322 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
324 "fixed system default policy: %d->%d\n",
325 ip4_def_policy.policy, IPSEC_POLICY_NONE));
326 ip4_def_policy.policy = IPSEC_POLICY_NONE;
328 ip4_def_policy.refcnt++;
330 lwkt_reltoken(&key_token);
331 return &ip4_def_policy;
333 case IPSEC_POLICY_IPSEC:
336 lwkt_reltoken(&key_token);
340 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
341 "Invalid policy for PCB %d\n", currsp->policy));
343 lwkt_reltoken(&key_token);
349 /* when non-privilieged socket */
350 /* look for a policy in SPD */
351 kernsp = key_allocsp(&currsp->spidx, dir);
354 if (kernsp != NULL) {
355 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
356 kprintf("DP ipsec4_getpolicybysock called "
357 "to allocate SP:%p\n", kernsp));
359 lwkt_reltoken(&key_token);
364 switch (currsp->policy) {
365 case IPSEC_POLICY_BYPASS:
366 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
367 "Illegal policy for non-priviliged defined %d\n",
370 lwkt_reltoken(&key_token);
373 case IPSEC_POLICY_ENTRUST:
374 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
375 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
377 "fixed system default policy: %d->%d\n",
378 ip4_def_policy.policy, IPSEC_POLICY_NONE));
379 ip4_def_policy.policy = IPSEC_POLICY_NONE;
381 ip4_def_policy.refcnt++;
383 lwkt_reltoken(&key_token);
384 return &ip4_def_policy;
386 case IPSEC_POLICY_IPSEC:
389 lwkt_reltoken(&key_token);
393 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
394 "Invalid policy for PCB %d\n", currsp->policy));
396 lwkt_reltoken(&key_token);
403 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
404 * and return a pointer to SP.
405 * OUT: positive: a pointer to the entry for security policy leaf matched.
406 * NULL: no apropreate SP found, the following value is set to error.
408 * EACCES : discard packet.
409 * ENOENT : ipsec_acquire() in progress, maybe.
410 * others : error occured.
413 ipsec4_getpolicybyaddr(struct mbuf *m, u_int dir, int flag, int *error)
415 struct secpolicy *sp = NULL;
418 if (m == NULL || error == NULL)
419 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.");
422 struct secpolicyindex spidx;
424 bzero(&spidx, sizeof(spidx));
426 /* make a index to look for a policy */
427 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET, m,
428 (flag & IP_FORWARDING) ? 0 : 1);
433 sp = key_allocsp(&spidx, dir);
438 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
439 kprintf("DP ipsec4_getpolicybyaddr called "
440 "to allocate SP:%p\n", sp));
446 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
447 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
448 ipseclog((LOG_INFO, "fixed system default policy:%d->%d\n",
449 ip4_def_policy.policy,
451 ip4_def_policy.policy = IPSEC_POLICY_NONE;
453 ip4_def_policy.refcnt++;
455 return &ip4_def_policy;
460 * For OUTBOUND packet having a socket. Searching SPD for packet,
461 * and return a pointer to SP.
462 * OUT: NULL: no apropreate SP found, the following value is set to error.
464 * EACCES : discard packet.
465 * ENOENT : ipsec_acquire() in progress, maybe.
466 * others : error occured.
467 * others: a pointer to SP
470 ipsec6_getpolicybysock(struct mbuf *m, u_int dir, struct socket *so, int *error)
472 struct inpcbpolicy *pcbsp = NULL;
473 struct secpolicy *currsp = NULL; /* policy on socket */
474 struct secpolicy *kernsp = NULL; /* policy on kernel */
477 if (m == NULL || so == NULL || error == NULL)
478 panic("ipsec6_getpolicybysock: NULL pointer was passed.");
481 if (so->so_proto->pr_domain->dom_family != AF_INET6)
482 panic("ipsec6_getpolicybysock: socket domain != inet6");
485 /* set spidx in pcb */
486 ipsec6_setspidx_in6pcb(m, so->so_pcb);
488 pcbsp = sotoin6pcb(so)->in6p_sp;
492 panic("ipsec6_getpolicybysock: pcbsp is NULL.");
495 case IPSEC_DIR_INBOUND:
496 currsp = pcbsp->sp_in;
498 case IPSEC_DIR_OUTBOUND:
499 currsp = pcbsp->sp_out;
502 panic("ipsec6_getpolicybysock: illegal direction.");
507 panic("ipsec6_getpolicybysock: currsp is NULL.");
509 /* when privilieged socket */
511 switch (currsp->policy) {
512 case IPSEC_POLICY_BYPASS:
517 case IPSEC_POLICY_ENTRUST:
518 /* look for a policy in SPD */
519 kernsp = key_allocsp(&currsp->spidx, dir);
522 if (kernsp != NULL) {
523 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
524 kprintf("DP ipsec6_getpolicybysock called "
525 "to allocate SP:%p\n", kernsp));
531 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
532 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
534 "fixed system default policy: %d->%d\n",
535 ip6_def_policy.policy, IPSEC_POLICY_NONE));
536 ip6_def_policy.policy = IPSEC_POLICY_NONE;
538 ip6_def_policy.refcnt++;
540 return &ip6_def_policy;
542 case IPSEC_POLICY_IPSEC:
548 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
549 "Invalid policy for PCB %d\n", currsp->policy));
556 /* when non-privilieged socket */
557 /* look for a policy in SPD */
558 kernsp = key_allocsp(&currsp->spidx, dir);
561 if (kernsp != NULL) {
562 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
563 kprintf("DP ipsec6_getpolicybysock called "
564 "to allocate SP:%p\n", kernsp));
570 switch (currsp->policy) {
571 case IPSEC_POLICY_BYPASS:
572 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
573 "Illegal policy for non-priviliged defined %d\n",
578 case IPSEC_POLICY_ENTRUST:
579 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
580 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
582 "fixed system default policy: %d->%d\n",
583 ip6_def_policy.policy, IPSEC_POLICY_NONE));
584 ip6_def_policy.policy = IPSEC_POLICY_NONE;
586 ip6_def_policy.refcnt++;
588 return &ip6_def_policy;
590 case IPSEC_POLICY_IPSEC:
597 "ipsec6_policybysock: Invalid policy for PCB %d\n",
606 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
607 * and return a pointer to SP.
608 * `flag' means that packet is to be forwarded whether or not.
610 * OUT: positive: a pointer to the entry for security policy leaf matched.
611 * NULL: no apropreate SP found, the following value is set to error.
613 * EACCES : discard packet.
614 * ENOENT : ipsec_acquire() in progress, maybe.
615 * others : error occured.
617 #ifndef IP_FORWARDING
618 #define IP_FORWARDING 1
622 ipsec6_getpolicybyaddr(struct mbuf *m, u_int dir, int flag, int *error)
624 struct secpolicy *sp = NULL;
627 if (m == NULL || error == NULL)
628 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.");
631 struct secpolicyindex spidx;
633 bzero(&spidx, sizeof(spidx));
635 /* make a index to look for a policy */
636 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET6, m,
637 (flag & IP_FORWARDING) ? 0 : 1);
642 sp = key_allocsp(&spidx, dir);
647 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
648 kprintf("DP ipsec6_getpolicybyaddr called "
649 "to allocate SP:%p\n", sp));
655 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
656 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
657 ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n",
658 ip6_def_policy.policy, IPSEC_POLICY_NONE));
659 ip6_def_policy.policy = IPSEC_POLICY_NONE;
661 ip6_def_policy.refcnt++;
663 return &ip6_def_policy;
668 * set IP address into spidx from mbuf.
669 * When Forwarding packet and ICMP echo reply, this function is used.
671 * IN: get the followings from mbuf.
672 * protocol family, src, dst, next protocol
675 * other: failure, and set errno.
678 ipsec_setspidx_mbuf(struct secpolicyindex *spidx, u_int dir, u_int family,
679 struct mbuf *m, int needport)
684 if (spidx == NULL || m == NULL)
685 panic("ipsec_setspidx_mbuf: NULL pointer was passed.");
687 bzero(spidx, sizeof(*spidx));
689 error = ipsec_setspidx(m, spidx, needport);
698 bzero(spidx, sizeof(*spidx));
703 ipsec4_setspidx_inpcb(struct mbuf *m, struct inpcb *pcb)
705 struct secpolicyindex *spidx;
710 panic("ipsec4_setspidx_inpcb: no PCB found.");
711 if (pcb->inp_sp == NULL)
712 panic("ipsec4_setspidx_inpcb: no inp_sp found.");
713 if (pcb->inp_sp->sp_out == NULL || pcb->inp_sp->sp_in == NULL)
714 panic("ipsec4_setspidx_inpcb: no sp_in/out found.");
716 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx));
717 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx));
719 spidx = &pcb->inp_sp->sp_in->spidx;
720 error = ipsec_setspidx(m, spidx, 1);
723 spidx->dir = IPSEC_DIR_INBOUND;
725 spidx = &pcb->inp_sp->sp_out->spidx;
726 error = ipsec_setspidx(m, spidx, 1);
729 spidx->dir = IPSEC_DIR_OUTBOUND;
734 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx));
735 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx));
741 ipsec6_setspidx_in6pcb(struct mbuf *m, struct in6pcb *pcb)
743 struct secpolicyindex *spidx;
748 panic("ipsec6_setspidx_in6pcb: no PCB found.");
749 if (pcb->in6p_sp == NULL)
750 panic("ipsec6_setspidx_in6pcb: no in6p_sp found.");
751 if (pcb->in6p_sp->sp_out == NULL || pcb->in6p_sp->sp_in == NULL)
752 panic("ipsec6_setspidx_in6pcb: no sp_in/out found.");
754 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
755 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
757 spidx = &pcb->in6p_sp->sp_in->spidx;
758 error = ipsec_setspidx(m, spidx, 1);
761 spidx->dir = IPSEC_DIR_INBOUND;
763 spidx = &pcb->in6p_sp->sp_out->spidx;
764 error = ipsec_setspidx(m, spidx, 1);
767 spidx->dir = IPSEC_DIR_OUTBOUND;
772 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
773 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
779 * configure security policy index (src/dst/proto/sport/dport)
780 * by looking at the content of mbuf.
781 * the caller is responsible for error recovery (like clearing up spidx).
784 ipsec_setspidx(struct mbuf *m, struct secpolicyindex *spidx, int needport)
786 struct ip *ip = NULL;
794 panic("ipsec_setspidx: m == 0 passed.");
797 * validate m->m_pkthdr.len. we see incorrect length if we
798 * mistakenly call this function with inconsistent mbuf chain
799 * (like 4.4BSD tcp/udp processing). XXX should we panic here?
802 for (n = m; n; n = n->m_next)
804 if (m->m_pkthdr.len != len) {
805 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
806 kprintf("ipsec_setspidx: "
807 "total of m_len(%d) != pkthdr.len(%d), "
809 len, m->m_pkthdr.len));
813 if (m->m_pkthdr.len < sizeof(struct ip)) {
814 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
815 kprintf("ipsec_setspidx: "
816 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
821 if (m->m_len >= sizeof(*ip))
822 ip = mtod(m, struct ip *);
824 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
828 v = _IP_VHL_V(ip->ip_vhl);
834 error = ipsec4_setspidx_ipaddr(m, spidx);
837 ipsec4_get_ulp(m, spidx, needport);
841 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
842 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
843 kprintf("ipsec_setspidx: "
844 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
845 "ignored.\n", m->m_pkthdr.len));
848 error = ipsec6_setspidx_ipaddr(m, spidx);
851 ipsec6_get_ulp(m, spidx, needport);
855 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
856 kprintf("ipsec_setspidx: "
857 "unknown IP version %u, ignored.\n", v));
863 ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
874 panic("ipsec4_get_ulp: NULL pointer was passed.");
875 if (m->m_pkthdr.len < sizeof(ip))
876 panic("ipsec4_get_ulp: too short");
879 spidx->ul_proto = IPSEC_ULPROTO_ANY;
880 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY;
881 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY;
883 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip);
884 /* ip_input() flips it into host endian XXX need more checking */
885 if (ip.ip_off & (IP_MF | IP_OFFMASK))
890 off = _IP_VHL_HL(ip->ip_vhl) << 2;
894 while (off < m->m_pkthdr.len) {
897 spidx->ul_proto = nxt;
900 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
902 m_copydata(m, off, sizeof(th), (caddr_t)&th);
903 ((struct sockaddr_in *)&spidx->src)->sin_port =
905 ((struct sockaddr_in *)&spidx->dst)->sin_port =
909 spidx->ul_proto = nxt;
912 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
914 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
915 ((struct sockaddr_in *)&spidx->src)->sin_port =
917 ((struct sockaddr_in *)&spidx->dst)->sin_port =
921 if (off + sizeof(ip6e) > m->m_pkthdr.len)
923 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
924 off += (ip6e.ip6e_len + 2) << 2;
929 /* XXX intermediate headers??? */
930 spidx->ul_proto = nxt;
936 /* assumes that m is sane */
938 ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
940 struct ip *ip = NULL;
942 struct sockaddr_in *sin;
944 if (m->m_len >= sizeof(*ip))
945 ip = mtod(m, struct ip *);
947 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
951 sin = (struct sockaddr_in *)&spidx->src;
952 bzero(sin, sizeof(*sin));
953 sin->sin_family = AF_INET;
954 sin->sin_len = sizeof(struct sockaddr_in);
955 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src));
956 spidx->prefs = sizeof(struct in_addr) << 3;
958 sin = (struct sockaddr_in *)&spidx->dst;
959 bzero(sin, sizeof(*sin));
960 sin->sin_family = AF_INET;
961 sin->sin_len = sizeof(struct sockaddr_in);
962 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst));
963 spidx->prefd = sizeof(struct in_addr) << 3;
969 ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
977 panic("ipsec6_get_ulp: NULL pointer was passed.");
979 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
980 kprintf("ipsec6_get_ulp:\n"); kdebug_mbuf(m));
983 spidx->ul_proto = IPSEC_ULPROTO_ANY;
984 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
985 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
988 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
989 if (off < 0 || m->m_pkthdr.len < off)
994 spidx->ul_proto = nxt;
997 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
999 m_copydata(m, off, sizeof(th), (caddr_t)&th);
1000 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
1001 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
1004 spidx->ul_proto = nxt;
1007 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1009 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1010 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
1011 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
1013 case IPPROTO_ICMPV6:
1015 /* XXX intermediate headers??? */
1016 spidx->ul_proto = nxt;
1021 /* assumes that m is sane */
1023 ipsec6_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
1025 struct ip6_hdr *ip6 = NULL;
1026 struct ip6_hdr ip6buf;
1027 struct sockaddr_in6 *sin6;
1029 if (m->m_len >= sizeof(*ip6))
1030 ip6 = mtod(m, struct ip6_hdr *);
1032 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
1036 sin6 = (struct sockaddr_in6 *)&spidx->src;
1037 bzero(sin6, sizeof(*sin6));
1038 sin6->sin6_family = AF_INET6;
1039 sin6->sin6_len = sizeof(struct sockaddr_in6);
1040 bcopy(&ip6->ip6_src, &sin6->sin6_addr, sizeof(ip6->ip6_src));
1041 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
1042 sin6->sin6_addr.s6_addr16[1] = 0;
1043 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
1045 spidx->prefs = sizeof(struct in6_addr) << 3;
1047 sin6 = (struct sockaddr_in6 *)&spidx->dst;
1048 bzero(sin6, sizeof(*sin6));
1049 sin6->sin6_family = AF_INET6;
1050 sin6->sin6_len = sizeof(struct sockaddr_in6);
1051 bcopy(&ip6->ip6_dst, &sin6->sin6_addr, sizeof(ip6->ip6_dst));
1052 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
1053 sin6->sin6_addr.s6_addr16[1] = 0;
1054 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
1056 spidx->prefd = sizeof(struct in6_addr) << 3;
1062 static struct inpcbpolicy *
1063 ipsec_newpcbpolicy(void)
1065 struct inpcbpolicy *p;
1067 p = (struct inpcbpolicy *)kmalloc(sizeof(*p), M_SECA, M_NOWAIT);
1072 ipsec_delpcbpolicy(struct inpcbpolicy *p)
1077 /* initialize policy in PCB */
1079 ipsec_init_policy(struct socket *so, struct inpcbpolicy **pcb_sp)
1081 struct inpcbpolicy *new;
1084 if (so == NULL || pcb_sp == NULL)
1085 panic("ipsec_init_policy: NULL pointer was passed.");
1087 new = ipsec_newpcbpolicy();
1089 ipseclog((LOG_DEBUG, "ipsec_init_policy: No more memory.\n"));
1092 bzero(new, sizeof(*new));
1094 if (so->so_cred != 0 && so->so_cred->cr_uid == 0)
1099 if ((new->sp_in = key_newsp()) == NULL) {
1100 ipsec_delpcbpolicy(new);
1103 new->sp_in->state = IPSEC_SPSTATE_ALIVE;
1104 new->sp_in->policy = IPSEC_POLICY_ENTRUST;
1106 if ((new->sp_out = key_newsp()) == NULL) {
1107 key_freesp(new->sp_in);
1108 ipsec_delpcbpolicy(new);
1111 new->sp_out->state = IPSEC_SPSTATE_ALIVE;
1112 new->sp_out->policy = IPSEC_POLICY_ENTRUST;
1119 /* copy old ipsec policy into new */
1121 ipsec_copy_policy(struct inpcbpolicy *old, struct inpcbpolicy *new)
1123 struct secpolicy *sp;
1125 sp = ipsec_deepcopy_policy(old->sp_in);
1127 key_freesp(new->sp_in);
1132 sp = ipsec_deepcopy_policy(old->sp_out);
1134 key_freesp(new->sp_out);
1139 new->priv = old->priv;
1144 /* deep-copy a policy in PCB */
1145 static struct secpolicy *
1146 ipsec_deepcopy_policy(struct secpolicy *src)
1148 struct ipsecrequest *newchain = NULL;
1149 struct ipsecrequest *p;
1150 struct ipsecrequest **q;
1151 struct ipsecrequest *r;
1152 struct secpolicy *dst;
1155 if (src == NULL || dst == NULL)
1159 * deep-copy IPsec request chain. This is required since struct
1160 * ipsecrequest is not reference counted.
1163 for (p = src->req; p; p = p->next) {
1164 *q = (struct ipsecrequest *)kmalloc(sizeof(struct ipsecrequest),
1165 M_SECA, M_NOWAIT | M_ZERO);
1170 (*q)->saidx.proto = p->saidx.proto;
1171 (*q)->saidx.mode = p->saidx.mode;
1172 (*q)->level = p->level;
1173 (*q)->saidx.reqid = p->saidx.reqid;
1175 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
1176 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
1184 dst->req = newchain;
1185 dst->state = src->state;
1186 dst->policy = src->policy;
1187 /* do not touch the refcnt fields */
1192 for (p = newchain; p; p = r) {
1200 /* set policy and ipsec request if present. */
1202 ipsec_set_policy(struct secpolicy **pcb_sp, int optname, caddr_t request,
1203 size_t len, int priv)
1205 struct sadb_x_policy *xpl;
1206 struct secpolicy *newsp = NULL;
1210 if (pcb_sp == NULL || *pcb_sp == NULL || request == NULL)
1212 if (len < sizeof(*xpl))
1214 xpl = (struct sadb_x_policy *)request;
1216 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1217 kprintf("ipsec_set_policy: passed policy\n");
1218 kdebug_sadb_x_policy((struct sadb_ext *)xpl));
1220 /* check policy type */
1221 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1222 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD
1223 || xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
1226 /* check privileged socket */
1227 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS)
1230 /* allocation new SP entry */
1231 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
1234 newsp->state = IPSEC_SPSTATE_ALIVE;
1236 /* clear old SP and set new SP */
1237 key_freesp(*pcb_sp);
1239 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1240 kprintf("ipsec_set_policy: new policy\n");
1241 kdebug_secpolicy(newsp));
1247 ipsec_get_policy(struct secpolicy *pcb_sp, struct mbuf **mp)
1251 if (pcb_sp == NULL || mp == NULL)
1254 *mp = key_sp2msg(pcb_sp);
1256 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n"));
1260 KKASSERT((*mp)->m_type == MT_DATA);
1261 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1262 kprintf("ipsec_get_policy:\n");
1269 ipsec4_set_policy(struct inpcb *inp, int optname, caddr_t request, size_t len,
1272 struct sadb_x_policy *xpl;
1273 struct secpolicy **pcb_sp;
1276 if (inp == NULL || request == NULL)
1278 if (len < sizeof(*xpl))
1280 xpl = (struct sadb_x_policy *)request;
1282 /* select direction */
1283 switch (xpl->sadb_x_policy_dir) {
1284 case IPSEC_DIR_INBOUND:
1285 pcb_sp = &inp->inp_sp->sp_in;
1287 case IPSEC_DIR_OUTBOUND:
1288 pcb_sp = &inp->inp_sp->sp_out;
1291 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1292 xpl->sadb_x_policy_dir));
1296 return ipsec_set_policy(pcb_sp, optname, request, len, priv);
1300 ipsec4_get_policy(struct inpcb *inp, caddr_t request, size_t len,
1303 struct sadb_x_policy *xpl;
1304 struct secpolicy *pcb_sp;
1307 if (inp == NULL || request == NULL || mp == NULL)
1309 if (inp->inp_sp == NULL)
1310 panic("policy in PCB is NULL");
1311 if (len < sizeof(*xpl))
1313 xpl = (struct sadb_x_policy *)request;
1315 /* select direction */
1316 switch (xpl->sadb_x_policy_dir) {
1317 case IPSEC_DIR_INBOUND:
1318 pcb_sp = inp->inp_sp->sp_in;
1320 case IPSEC_DIR_OUTBOUND:
1321 pcb_sp = inp->inp_sp->sp_out;
1324 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1325 xpl->sadb_x_policy_dir));
1329 return ipsec_get_policy(pcb_sp, mp);
1332 /* delete policy in PCB */
1334 ipsec4_delete_pcbpolicy(struct inpcb *inp)
1338 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.");
1340 if (inp->inp_sp == NULL)
1343 if (inp->inp_sp->sp_in != NULL) {
1344 key_freesp(inp->inp_sp->sp_in);
1345 inp->inp_sp->sp_in = NULL;
1348 if (inp->inp_sp->sp_out != NULL) {
1349 key_freesp(inp->inp_sp->sp_out);
1350 inp->inp_sp->sp_out = NULL;
1353 ipsec_delpcbpolicy(inp->inp_sp);
1361 ipsec6_set_policy(struct in6pcb *in6p, int optname, caddr_t request, size_t len,
1364 struct sadb_x_policy *xpl;
1365 struct secpolicy **pcb_sp;
1368 if (in6p == NULL || request == NULL)
1370 if (len < sizeof(*xpl))
1372 xpl = (struct sadb_x_policy *)request;
1374 /* select direction */
1375 switch (xpl->sadb_x_policy_dir) {
1376 case IPSEC_DIR_INBOUND:
1377 pcb_sp = &in6p->in6p_sp->sp_in;
1379 case IPSEC_DIR_OUTBOUND:
1380 pcb_sp = &in6p->in6p_sp->sp_out;
1383 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1384 xpl->sadb_x_policy_dir));
1388 return ipsec_set_policy(pcb_sp, optname, request, len, priv);
1392 ipsec6_get_policy(struct in6pcb *in6p, caddr_t request, size_t len,
1395 struct sadb_x_policy *xpl;
1396 struct secpolicy *pcb_sp;
1399 if (in6p == NULL || request == NULL || mp == NULL)
1401 if (in6p->in6p_sp == NULL)
1402 panic("policy in PCB is NULL");
1403 if (len < sizeof(*xpl))
1405 xpl = (struct sadb_x_policy *)request;
1407 /* select direction */
1408 switch (xpl->sadb_x_policy_dir) {
1409 case IPSEC_DIR_INBOUND:
1410 pcb_sp = in6p->in6p_sp->sp_in;
1412 case IPSEC_DIR_OUTBOUND:
1413 pcb_sp = in6p->in6p_sp->sp_out;
1416 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1417 xpl->sadb_x_policy_dir));
1421 return ipsec_get_policy(pcb_sp, mp);
1425 ipsec6_delete_pcbpolicy(struct in6pcb *in6p)
1429 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.");
1431 if (in6p->in6p_sp == NULL)
1434 if (in6p->in6p_sp->sp_in != NULL) {
1435 key_freesp(in6p->in6p_sp->sp_in);
1436 in6p->in6p_sp->sp_in = NULL;
1439 if (in6p->in6p_sp->sp_out != NULL) {
1440 key_freesp(in6p->in6p_sp->sp_out);
1441 in6p->in6p_sp->sp_out = NULL;
1444 ipsec_delpcbpolicy(in6p->in6p_sp);
1445 in6p->in6p_sp = NULL;
1452 * return current level.
1453 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1456 ipsec_get_reqlevel(struct ipsecrequest *isr)
1459 u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev;
1462 if (isr == NULL || isr->sp == NULL)
1463 panic("ipsec_get_reqlevel: NULL pointer is passed.");
1464 if (((struct sockaddr *)&isr->sp->spidx.src)->sa_family
1465 != ((struct sockaddr *)&isr->sp->spidx.dst)->sa_family)
1466 panic("ipsec_get_reqlevel: family mismatched.");
1468 /* XXX note that we have ipseclog() expanded here - code sync issue */
1469 #define IPSEC_CHECK_DEFAULT(lev) \
1470 (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \
1471 && (lev) != IPSEC_LEVEL_UNIQUE) \
1473 ? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\
1474 (lev), IPSEC_LEVEL_REQUIRE) \
1476 (lev) = IPSEC_LEVEL_REQUIRE, \
1480 /* set default level */
1481 switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) {
1484 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev);
1485 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev);
1486 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev);
1487 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev);
1492 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev);
1493 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev);
1494 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev);
1495 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev);
1499 panic("key_get_reqlevel: Unknown family. %d",
1500 ((struct sockaddr *)&isr->sp->spidx.src)->sa_family);
1503 #undef IPSEC_CHECK_DEFAULT
1506 switch (isr->level) {
1507 case IPSEC_LEVEL_DEFAULT:
1508 switch (isr->saidx.proto) {
1510 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1511 level = esp_net_deflev;
1513 level = esp_trans_deflev;
1516 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1517 level = ah_net_deflev;
1519 level = ah_trans_deflev;
1520 case IPPROTO_IPCOMP:
1522 * we don't really care, as IPcomp document says that
1523 * we shouldn't compress small packets
1525 level = IPSEC_LEVEL_USE;
1528 panic("ipsec_get_reqlevel: "
1529 "Illegal protocol defined %u",
1534 case IPSEC_LEVEL_USE:
1535 case IPSEC_LEVEL_REQUIRE:
1538 case IPSEC_LEVEL_UNIQUE:
1539 level = IPSEC_LEVEL_REQUIRE;
1543 panic("ipsec_get_reqlevel: Illegal IPsec level %u",
1551 * Check AH/ESP integrity.
1557 ipsec_in_reject(struct secpolicy *sp, struct mbuf *m)
1559 struct ipsecrequest *isr;
1561 int need_auth, need_conf, need_icv;
1563 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1564 kprintf("ipsec_in_reject: using SP\n");
1565 kdebug_secpolicy(sp));
1568 switch (sp->policy) {
1569 case IPSEC_POLICY_DISCARD:
1571 case IPSEC_POLICY_BYPASS:
1572 case IPSEC_POLICY_NONE:
1575 case IPSEC_POLICY_IPSEC:
1578 case IPSEC_POLICY_ENTRUST:
1580 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy);
1587 /* XXX should compare policy against ipsec header history */
1589 for (isr = sp->req; isr != NULL; isr = isr->next) {
1591 /* get current level */
1592 level = ipsec_get_reqlevel(isr);
1594 switch (isr->saidx.proto) {
1596 if (level == IPSEC_LEVEL_REQUIRE) {
1599 if (isr->sav != NULL
1600 && isr->sav->flags == SADB_X_EXT_NONE
1601 && isr->sav->alg_auth != SADB_AALG_NONE)
1606 if (level == IPSEC_LEVEL_REQUIRE) {
1611 case IPPROTO_IPCOMP:
1613 * we don't really care, as IPcomp document says that
1614 * we shouldn't compress small packets, IPComp policy
1615 * should always be treated as being in "use" level.
1621 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1622 kprintf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
1623 need_auth, need_conf, need_icv, m->m_flags));
1625 if ((need_conf && !(m->m_flags & M_DECRYPTED))
1626 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM))
1627 || (need_auth && !(m->m_flags & M_AUTHIPHDR)))
1634 * Check AH/ESP integrity.
1635 * This function is called from tcp_input(), udp_input(),
1636 * and {ah,esp}4_input for tunnel mode
1639 ipsec4_in_reject_so(struct mbuf *m, struct socket *so)
1641 struct secpolicy *sp = NULL;
1647 return 0; /* XXX should be panic ? */
1649 /* get SP for this packet.
1650 * When we are called from ip_forward(), we call
1651 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1654 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1656 sp = ipsec4_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1659 return 0; /* XXX should be panic ?
1660 * -> No, there may be error. */
1662 result = ipsec_in_reject(sp, m);
1663 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1664 kprintf("DP ipsec4_in_reject_so call free SP:%p\n", sp));
1671 ipsec4_in_reject(struct mbuf *m, struct inpcb *inp)
1674 return ipsec4_in_reject_so(m, NULL);
1675 if (inp->inp_socket)
1676 return ipsec4_in_reject_so(m, inp->inp_socket);
1678 panic("ipsec4_in_reject: invalid inpcb/socket");
1683 * Check AH/ESP integrity.
1684 * This function is called from tcp6_input(), udp6_input(),
1685 * and {ah,esp}6_input for tunnel mode
1688 ipsec6_in_reject_so(struct mbuf *m, struct socket *so)
1690 struct secpolicy *sp = NULL;
1696 return 0; /* XXX should be panic ? */
1698 /* get SP for this packet.
1699 * When we are called from ip_forward(), we call
1700 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
1703 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1705 sp = ipsec6_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1708 return 0; /* XXX should be panic ? */
1710 result = ipsec_in_reject(sp, m);
1711 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1712 kprintf("DP ipsec6_in_reject_so call free SP:%p\n", sp));
1719 ipsec6_in_reject(struct mbuf *m, struct in6pcb *in6p)
1722 return ipsec6_in_reject_so(m, NULL);
1723 if (in6p->in6p_socket)
1724 return ipsec6_in_reject_so(m, in6p->in6p_socket);
1726 panic("ipsec6_in_reject: invalid in6p/socket");
1731 * compute the byte size to be occupied by IPsec header.
1732 * in case it is tunneled, it includes the size of outer IP header.
1733 * NOTE: SP passed is free in this function.
1736 ipsec_hdrsiz(struct secpolicy *sp)
1738 struct ipsecrequest *isr;
1741 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1742 kprintf("ipsec_hdrsiz: using SP\n");
1743 kdebug_secpolicy(sp));
1746 switch (sp->policy) {
1747 case IPSEC_POLICY_DISCARD:
1748 case IPSEC_POLICY_BYPASS:
1749 case IPSEC_POLICY_NONE:
1752 case IPSEC_POLICY_IPSEC:
1755 case IPSEC_POLICY_ENTRUST:
1757 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy);
1762 for (isr = sp->req; isr != NULL; isr = isr->next) {
1766 switch (isr->saidx.proto) {
1769 clen = esp_hdrsiz(isr);
1775 clen = ah_hdrsiz(isr);
1777 case IPPROTO_IPCOMP:
1778 clen = sizeof(struct ipcomp);
1782 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
1783 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) {
1785 clen += sizeof(struct ip);
1789 clen += sizeof(struct ip6_hdr);
1793 ipseclog((LOG_ERR, "ipsec_hdrsiz: "
1794 "unknown AF %d in IPsec tunnel SA\n",
1795 ((struct sockaddr *)&isr->saidx.dst)->sa_family));
1805 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
1807 ipsec4_hdrsiz(struct mbuf *m, u_int dir, struct inpcb *inp)
1809 struct secpolicy *sp = NULL;
1815 return 0; /* XXX should be panic ? */
1816 if (inp != NULL && inp->inp_socket == NULL)
1817 panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
1819 /* get SP for this packet.
1820 * When we are called from ip_forward(), we call
1821 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1824 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1826 sp = ipsec4_getpolicybysock(m, dir, inp->inp_socket, &error);
1829 return 0; /* XXX should be panic ? */
1831 size = ipsec_hdrsiz(sp);
1832 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1833 kprintf("DP ipsec4_hdrsiz call free SP:%p\n", sp));
1834 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1835 kprintf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size));
1842 /* This function is called from ipsec6_hdrsize_tcp(),
1843 * and maybe from ip6_forward.()
1846 ipsec6_hdrsiz(struct mbuf *m, u_int dir, struct in6pcb *in6p)
1848 struct secpolicy *sp = NULL;
1854 return 0; /* XXX shoud be panic ? */
1855 if (in6p != NULL && in6p->in6p_socket == NULL)
1856 panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
1858 /* get SP for this packet */
1859 /* XXX Is it right to call with IP_FORWARDING. */
1861 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1863 sp = ipsec6_getpolicybysock(m, dir, in6p->in6p_socket, &error);
1867 size = ipsec_hdrsiz(sp);
1868 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1869 kprintf("DP ipsec6_hdrsiz call free SP:%p\n", sp));
1870 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1871 kprintf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size));
1880 * encapsulate for ipsec tunnel.
1881 * ip->ip_src must be fixed later on.
1884 ipsec4_encapsulate(struct mbuf *m, struct secasvar *sav)
1891 /* can't tunnel between different AFs */
1892 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
1893 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
1894 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
1899 /* XXX if the dst is myself, perform nothing. */
1900 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
1906 if (m->m_len < sizeof(*ip))
1907 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
1909 ip = mtod(m, struct ip *);
1911 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
1913 hlen = ip->ip_hl << 2;
1916 if (m->m_len != hlen)
1917 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
1919 /* generate header checksum */
1922 if (ip->ip_vhl == IP_VHL_BORING)
1923 ip->ip_sum = in_cksum_hdr(ip);
1925 ip->ip_sum = in_cksum(m, hlen);
1927 ip->ip_sum = in_cksum(m, hlen);
1930 plen = m->m_pkthdr.len;
1933 * grow the mbuf to accomodate the new IPv4 header.
1934 * NOTE: IPv4 options will never be copied.
1936 if (M_LEADINGSPACE(m->m_next) < hlen) {
1938 MGET(n, MB_DONTWAIT, MT_DATA);
1944 n->m_next = m->m_next;
1946 m->m_pkthdr.len += hlen;
1947 oip = mtod(n, struct ip *);
1949 m->m_next->m_len += hlen;
1950 m->m_next->m_data -= hlen;
1951 m->m_pkthdr.len += hlen;
1952 oip = mtod(m->m_next, struct ip *);
1954 ip = mtod(m, struct ip *);
1955 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
1956 m->m_len = sizeof(struct ip);
1957 m->m_pkthdr.len -= (hlen - sizeof(struct ip));
1959 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
1960 /* ECN consideration. */
1961 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
1963 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2);
1965 ip->ip_hl = sizeof(struct ip) >> 2;
1967 ip->ip_off &= htons(~IP_OFFMASK);
1968 ip->ip_off &= htons(~IP_MF);
1969 switch (ip4_ipsec_dfbit) {
1970 case 0: /* clear DF bit */
1971 ip->ip_off &= htons(~IP_DF);
1973 case 1: /* set DF bit */
1974 ip->ip_off |= htons(IP_DF);
1976 default: /* copy DF bit */
1979 ip->ip_p = IPPROTO_IPIP;
1980 if (plen + sizeof(struct ip) < IP_MAXPACKET)
1981 ip->ip_len = htons(plen + sizeof(struct ip));
1983 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
1984 "leave ip_len as is (invalid packet)\n"));
1987 ip->ip_id = ip_randomid();
1989 ip->ip_id = htons(ip_id++);
1991 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
1992 &ip->ip_src, sizeof(ip->ip_src));
1993 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
1994 &ip->ip_dst, sizeof(ip->ip_dst));
1995 ip->ip_ttl = IPDEFTTL;
1997 /* XXX Should ip_src be updated later ? */
2005 ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav)
2007 struct ip6_hdr *oip6;
2008 struct ip6_hdr *ip6;
2011 /* can't tunnel between different AFs */
2012 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2013 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2014 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2019 /* XXX if the dst is myself, perform nothing. */
2020 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2026 plen = m->m_pkthdr.len;
2029 * grow the mbuf to accomodate the new IPv6 header.
2031 if (m->m_len != sizeof(struct ip6_hdr))
2032 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2033 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
2035 MGET(n, MB_DONTWAIT, MT_DATA);
2040 n->m_len = sizeof(struct ip6_hdr);
2041 n->m_next = m->m_next;
2043 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2044 oip6 = mtod(n, struct ip6_hdr *);
2046 m->m_next->m_len += sizeof(struct ip6_hdr);
2047 m->m_next->m_data -= sizeof(struct ip6_hdr);
2048 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2049 oip6 = mtod(m->m_next, struct ip6_hdr *);
2051 ip6 = mtod(m, struct ip6_hdr *);
2052 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
2054 /* Fake link-local scope-class addresses */
2055 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_src))
2056 oip6->ip6_src.s6_addr16[1] = 0;
2057 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_dst))
2058 oip6->ip6_dst.s6_addr16[1] = 0;
2060 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
2061 /* ECN consideration. */
2062 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
2063 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
2064 ip6->ip6_plen = htons(plen);
2066 /* ip6->ip6_plen will be updated in ip6_output() */
2068 ip6->ip6_nxt = IPPROTO_IPV6;
2069 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr,
2070 &ip6->ip6_src, sizeof(ip6->ip6_src));
2071 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr,
2072 &ip6->ip6_dst, sizeof(ip6->ip6_dst));
2073 ip6->ip6_hlim = IPV6_DEFHLIM;
2075 /* XXX Should ip6_src be updated later ? */
2082 * Check the variable replay window.
2083 * ipsec_chkreplay() performs replay check before ICV verification.
2084 * ipsec_updatereplay() updates replay bitmap. This must be called after
2085 * ICV verification (it also performs replay check, which is usually done
2087 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
2089 * based on RFC 2401.
2092 ipsec_chkreplay(u_int32_t seq, struct secasvar *sav)
2094 const struct secreplay *replay;
2097 u_int32_t wsizeb; /* constant: bits of window size */
2098 int frlast; /* constant: last frame */
2102 panic("ipsec_chkreplay: NULL pointer was passed.");
2104 replay = sav->replay;
2106 if (replay->wsize == 0)
2107 return 1; /* no need to check replay. */
2110 frlast = replay->wsize - 1;
2111 wsizeb = replay->wsize << 3;
2113 /* sequence number of 0 is invalid */
2117 /* first time is always okay */
2118 if (replay->count == 0)
2121 if (seq > replay->lastseq) {
2122 /* larger sequences are okay */
2125 /* seq is equal or less than lastseq. */
2126 diff = replay->lastseq - seq;
2128 /* over range to check, i.e. too old or wrapped */
2132 fr = frlast - diff / 8;
2134 /* this packet already seen ? */
2135 if ((replay->bitmap)[fr] & (1 << (diff % 8)))
2138 /* out of order but good */
2144 * check replay counter whether to update or not.
2149 ipsec_updatereplay(u_int32_t seq, struct secasvar *sav)
2151 struct secreplay *replay;
2154 u_int32_t wsizeb; /* constant: bits of window size */
2155 int frlast; /* constant: last frame */
2159 panic("ipsec_chkreplay: NULL pointer was passed.");
2161 replay = sav->replay;
2163 if (replay->wsize == 0)
2164 goto ok; /* no need to check replay. */
2167 frlast = replay->wsize - 1;
2168 wsizeb = replay->wsize << 3;
2170 /* sequence number of 0 is invalid */
2175 if (replay->count == 0) {
2176 replay->lastseq = seq;
2177 bzero(replay->bitmap, replay->wsize);
2178 (replay->bitmap)[frlast] = 1;
2182 if (seq > replay->lastseq) {
2183 /* seq is larger than lastseq. */
2184 diff = seq - replay->lastseq;
2186 /* new larger sequence number */
2187 if (diff < wsizeb) {
2189 /* set bit for this packet */
2190 vshiftl(replay->bitmap, diff, replay->wsize);
2191 (replay->bitmap)[frlast] |= 1;
2193 /* this packet has a "way larger" */
2194 bzero(replay->bitmap, replay->wsize);
2195 (replay->bitmap)[frlast] = 1;
2197 replay->lastseq = seq;
2199 /* larger is good */
2201 /* seq is equal or less than lastseq. */
2202 diff = replay->lastseq - seq;
2204 /* over range to check, i.e. too old or wrapped */
2208 fr = frlast - diff / 8;
2210 /* this packet already seen ? */
2211 if ((replay->bitmap)[fr] & (1 << (diff % 8)))
2215 (replay->bitmap)[fr] |= (1 << (diff % 8));
2217 /* out of order but good */
2221 if (replay->count == ~0) {
2223 /* set overflow flag */
2226 /* don't increment, no more packets accepted */
2227 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
2230 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
2231 replay->overflow, ipsec_logsastr(sav)));
2240 * shift variable length buffer to left.
2241 * IN: bitmap: pointer to the buffer
2242 * nbit: the number of to shift.
2243 * wsize: buffer size (bytes).
2246 vshiftl(unsigned char *bitmap, int nbit, int wsize)
2251 for (j = 0; j < nbit; j += 8) {
2252 s = (nbit - j < 8) ? (nbit - j): 8;
2254 for (i = 1; i < wsize; i++) {
2255 over = (bitmap[i] >> (8 - s));
2257 bitmap[i-1] |= over;
2265 ipsec4_logpacketstr(struct ip *ip, u_int32_t spi)
2267 static char buf[256];
2271 s = (u_int8_t *)(&ip->ip_src);
2272 d = (u_int8_t *)(&ip->ip_dst);
2275 ksnprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2278 ksnprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u",
2279 s[0], s[1], s[2], s[3]);
2282 ksnprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u",
2283 d[0], d[1], d[2], d[3]);
2286 ksnprintf(p, sizeof(buf) - (p - buf), ")");
2293 ipsec6_logpacketstr(struct ip6_hdr *ip6, u_int32_t spi)
2295 static char buf[256];
2299 ksnprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2302 ksnprintf(p, sizeof(buf) - (p - buf), "src=%s",
2303 ip6_sprintf(&ip6->ip6_src));
2306 ksnprintf(p, sizeof(buf) - (p - buf), " dst=%s",
2307 ip6_sprintf(&ip6->ip6_dst));
2310 ksnprintf(p, sizeof(buf) - (p - buf), ")");
2317 ipsec_logsastr(struct secasvar *sav)
2319 static char buf[256];
2321 struct secasindex *saidx = &sav->sah->saidx;
2323 /* validity check */
2324 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2325 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family)
2326 panic("ipsec_logsastr: family mismatched.");
2329 ksnprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
2332 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) {
2334 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr;
2335 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr;
2336 ksnprintf(p, sizeof(buf) - (p - buf),
2337 "src=%d.%d.%d.%d dst=%d.%d.%d.%d",
2338 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
2341 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) {
2342 ksnprintf(p, sizeof(buf) - (p - buf),
2344 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr));
2347 ksnprintf(p, sizeof(buf) - (p - buf),
2349 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr));
2354 ksnprintf(p, sizeof(buf) - (p - buf), ")");
2360 ipsec_dumpmbuf(struct mbuf *m)
2369 p = mtod(m, u_char *);
2370 for (i = 0; i < m->m_len; i++) {
2371 kprintf("%02x ", p[i]);
2373 if (totlen % 16 == 0)
2378 if (totlen % 16 != 0)
2385 * IPsec output logic for IPv4.
2388 ipsec4_output(struct ipsec_output_state *state, struct secpolicy *sp, int flags)
2390 struct ip *ip = NULL;
2391 struct ipsecrequest *isr = NULL;
2392 struct secasindex saidx;
2394 struct sockaddr_in *dst4;
2395 struct sockaddr_in *sin;
2398 panic("state == NULL in ipsec4_output");
2400 panic("state->m == NULL in ipsec4_output");
2402 panic("state->ro == NULL in ipsec4_output");
2404 panic("state->dst == NULL in ipsec4_output");
2406 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2407 kprintf("ipsec4_output: applyed SP\n");
2408 kdebug_secpolicy(sp));
2410 for (isr = sp->req; isr != NULL; isr = isr->next) {
2412 #if 0 /* give up to check restriction of transport mode */
2413 /* XXX but should be checked somewhere */
2415 * some of the IPsec operation must be performed only in
2418 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT
2419 && (flags & IP_FORWARDING))
2423 /* make SA index for search proper SA */
2424 ip = mtod(state->m, struct ip *);
2425 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2426 saidx.mode = isr->saidx.mode;
2427 saidx.reqid = isr->saidx.reqid;
2428 sin = (struct sockaddr_in *)&saidx.src;
2429 if (sin->sin_len == 0) {
2430 sin->sin_len = sizeof(*sin);
2431 sin->sin_family = AF_INET;
2432 sin->sin_port = IPSEC_PORT_ANY;
2433 bcopy(&ip->ip_src, &sin->sin_addr,
2434 sizeof(sin->sin_addr));
2436 sin = (struct sockaddr_in *)&saidx.dst;
2437 if (sin->sin_len == 0) {
2438 sin->sin_len = sizeof(*sin);
2439 sin->sin_family = AF_INET;
2440 sin->sin_port = IPSEC_PORT_ANY;
2441 bcopy(&ip->ip_dst, &sin->sin_addr,
2442 sizeof(sin->sin_addr));
2445 if ((error = key_checkrequest(isr, &saidx)) != 0) {
2447 * IPsec processing is required, but no SA found.
2448 * I assume that key_acquire() had been called
2449 * to get/establish the SA. Here I discard
2450 * this packet because it is responsibility for
2451 * upper layer to retransmit the packet.
2453 ipsecstat.out_nosa++;
2457 /* validity check */
2458 if (isr->sav == NULL) {
2459 switch (ipsec_get_reqlevel(isr)) {
2460 case IPSEC_LEVEL_USE:
2462 case IPSEC_LEVEL_REQUIRE:
2463 /* must be not reached here. */
2464 panic("ipsec4_output: no SA found, but required.");
2469 * If there is no valid SA, we give up to process any
2470 * more. In such a case, the SA's status is changed
2471 * from DYING to DEAD after allocating. If a packet
2472 * send to the receiver by dead SA, the receiver can
2473 * not decode a packet because SA has been dead.
2475 if (isr->sav->state != SADB_SASTATE_MATURE
2476 && isr->sav->state != SADB_SASTATE_DYING) {
2477 ipsecstat.out_nosa++;
2483 * There may be the case that SA status will be changed when
2484 * we are refering to one. So calling crit_enter().
2488 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2490 * build IPsec tunnel.
2492 /* XXX should be processed with other familiy */
2493 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) {
2494 ipseclog((LOG_ERR, "ipsec4_output: "
2495 "family mismatched between inner and outer spi=%u\n",
2496 (u_int32_t)ntohl(isr->sav->spi)));
2498 error = EAFNOSUPPORT;
2502 state->m = ipsec4_splithdr(state->m);
2508 error = ipsec4_encapsulate(state->m, isr->sav);
2514 ip = mtod(state->m, struct ip *);
2516 state->ro = &isr->sav->sah->sa_route;
2517 state->dst = (struct sockaddr *)&state->ro->ro_dst;
2518 dst4 = (struct sockaddr_in *)state->dst;
2519 if (state->ro->ro_rt
2520 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
2521 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) {
2522 RTFREE(state->ro->ro_rt);
2523 state->ro->ro_rt = NULL;
2525 if (state->ro->ro_rt == 0) {
2526 dst4->sin_family = AF_INET;
2527 dst4->sin_len = sizeof(*dst4);
2528 dst4->sin_addr = ip->ip_dst;
2531 if (state->ro->ro_rt == 0) {
2532 ipstat.ips_noroute++;
2533 error = EHOSTUNREACH;
2537 /* adjust state->dst if tunnel endpoint is offlink */
2538 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
2539 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
2540 dst4 = (struct sockaddr_in *)state->dst;
2545 state->m = ipsec4_splithdr(state->m);
2550 switch (isr->saidx.proto) {
2553 if ((error = esp4_output(state->m, isr)) != 0) {
2565 if ((error = ah4_output(state->m, isr)) != 0) {
2570 case IPPROTO_IPCOMP:
2571 if ((error = ipcomp4_output(state->m, isr)) != 0) {
2578 "ipsec4_output: unknown ipsec protocol %d\n",
2586 if (state->m == 0) {
2590 ip = mtod(state->m, struct ip *);
2604 * IPsec output logic for IPv6, transport mode.
2607 ipsec6_output_trans(struct ipsec_output_state *state, u_char *nexthdrp,
2608 struct mbuf *mprev, struct secpolicy *sp, int flags,
2611 struct ip6_hdr *ip6;
2612 struct ipsecrequest *isr = NULL;
2613 struct secasindex saidx;
2616 struct sockaddr_in6 *sin6;
2619 panic("state == NULL in ipsec6_output_trans");
2621 panic("state->m == NULL in ipsec6_output_trans");
2623 panic("nexthdrp == NULL in ipsec6_output_trans");
2625 panic("mprev == NULL in ipsec6_output_trans");
2627 panic("sp == NULL in ipsec6_output_trans");
2629 panic("tun == NULL in ipsec6_output_trans");
2631 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2632 kprintf("ipsec6_output_trans: applyed SP\n");
2633 kdebug_secpolicy(sp));
2636 for (isr = sp->req; isr; isr = isr->next) {
2637 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2638 /* the rest will be handled by ipsec6_output_tunnel() */
2642 /* make SA index for search proper SA */
2643 ip6 = mtod(state->m, struct ip6_hdr *);
2644 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2645 saidx.mode = isr->saidx.mode;
2646 saidx.reqid = isr->saidx.reqid;
2647 sin6 = (struct sockaddr_in6 *)&saidx.src;
2648 if (sin6->sin6_len == 0) {
2649 sin6->sin6_len = sizeof(*sin6);
2650 sin6->sin6_family = AF_INET6;
2651 sin6->sin6_port = IPSEC_PORT_ANY;
2652 bcopy(&ip6->ip6_src, &sin6->sin6_addr,
2653 sizeof(ip6->ip6_src));
2654 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
2655 /* fix scope id for comparing SPD */
2656 sin6->sin6_addr.s6_addr16[1] = 0;
2657 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
2660 sin6 = (struct sockaddr_in6 *)&saidx.dst;
2661 if (sin6->sin6_len == 0) {
2662 sin6->sin6_len = sizeof(*sin6);
2663 sin6->sin6_family = AF_INET6;
2664 sin6->sin6_port = IPSEC_PORT_ANY;
2665 bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
2666 sizeof(ip6->ip6_dst));
2667 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
2668 /* fix scope id for comparing SPD */
2669 sin6->sin6_addr.s6_addr16[1] = 0;
2670 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
2674 if (key_checkrequest(isr, &saidx) == ENOENT) {
2676 * IPsec processing is required, but no SA found.
2677 * I assume that key_acquire() had been called
2678 * to get/establish the SA. Here I discard
2679 * this packet because it is responsibility for
2680 * upper layer to retransmit the packet.
2682 ipsec6stat.out_nosa++;
2686 * Notify the fact that the packet is discarded
2687 * to ourselves. I believe this is better than
2688 * just silently discarding. (jinmei@kame.net)
2689 * XXX: should we restrict the error to TCP packets?
2690 * XXX: should we directly notify sockets via
2693 icmp6_error(state->m, ICMP6_DST_UNREACH,
2694 ICMP6_DST_UNREACH_ADMIN, 0);
2695 state->m = NULL; /* icmp6_error freed the mbuf */
2699 /* validity check */
2700 if (isr->sav == NULL) {
2701 switch (ipsec_get_reqlevel(isr)) {
2702 case IPSEC_LEVEL_USE:
2704 case IPSEC_LEVEL_REQUIRE:
2705 /* must be not reached here. */
2706 panic("ipsec6_output_trans: no SA found, but required.");
2711 * If there is no valid SA, we give up to process.
2712 * see same place at ipsec4_output().
2714 if (isr->sav->state != SADB_SASTATE_MATURE
2715 && isr->sav->state != SADB_SASTATE_DYING) {
2716 ipsec6stat.out_nosa++;
2721 switch (isr->saidx.proto) {
2724 error = esp6_output(state->m, nexthdrp, mprev->m_next, isr);
2731 error = ah6_output(state->m, nexthdrp, mprev->m_next, isr);
2733 case IPPROTO_IPCOMP:
2734 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr);
2737 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2738 "unknown ipsec protocol %d\n", isr->saidx.proto));
2740 ipsec6stat.out_inval++;
2748 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
2749 if (plen > IPV6_MAXPACKET) {
2750 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2751 "IPsec with IPv6 jumbogram is not supported\n"));
2752 ipsec6stat.out_inval++;
2753 error = EINVAL; /* XXX */
2756 ip6 = mtod(state->m, struct ip6_hdr *);
2757 ip6->ip6_plen = htons(plen);
2760 /* if we have more to go, we need a tunnel mode processing */
2773 * IPsec output logic for IPv6, tunnel mode.
2776 ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp,
2779 struct ip6_hdr *ip6;
2780 struct ipsecrequest *isr = NULL;
2781 struct secasindex saidx;
2784 struct sockaddr_in6* dst6;
2787 panic("state == NULL in ipsec6_output_tunnel");
2789 panic("state->m == NULL in ipsec6_output_tunnel");
2791 panic("sp == NULL in ipsec6_output_tunnel");
2793 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2794 kprintf("ipsec6_output_tunnel: applyed SP\n");
2795 kdebug_secpolicy(sp));
2798 * transport mode ipsec (before the 1st tunnel mode) is already
2799 * processed by ipsec6_output_trans().
2801 for (isr = sp->req; isr; isr = isr->next) {
2802 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
2806 for (/* already initialized */; isr; isr = isr->next) {
2807 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2808 /* When tunnel mode, SA peers must be specified. */
2809 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2811 /* make SA index to look for a proper SA */
2812 struct sockaddr_in6 *sin6;
2814 bzero(&saidx, sizeof(saidx));
2815 saidx.proto = isr->saidx.proto;
2816 saidx.mode = isr->saidx.mode;
2817 saidx.reqid = isr->saidx.reqid;
2819 ip6 = mtod(state->m, struct ip6_hdr *);
2820 sin6 = (struct sockaddr_in6 *)&saidx.src;
2821 if (sin6->sin6_len == 0) {
2822 sin6->sin6_len = sizeof(*sin6);
2823 sin6->sin6_family = AF_INET6;
2824 sin6->sin6_port = IPSEC_PORT_ANY;
2825 bcopy(&ip6->ip6_src, &sin6->sin6_addr,
2826 sizeof(ip6->ip6_src));
2827 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
2828 /* fix scope id for comparing SPD */
2829 sin6->sin6_addr.s6_addr16[1] = 0;
2830 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
2833 sin6 = (struct sockaddr_in6 *)&saidx.dst;
2834 if (sin6->sin6_len == 0) {
2835 sin6->sin6_len = sizeof(*sin6);
2836 sin6->sin6_family = AF_INET6;
2837 sin6->sin6_port = IPSEC_PORT_ANY;
2838 bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
2839 sizeof(ip6->ip6_dst));
2840 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
2841 /* fix scope id for comparing SPD */
2842 sin6->sin6_addr.s6_addr16[1] = 0;
2843 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
2848 if (key_checkrequest(isr, &saidx) == ENOENT) {
2850 * IPsec processing is required, but no SA found.
2851 * I assume that key_acquire() had been called
2852 * to get/establish the SA. Here I discard
2853 * this packet because it is responsibility for
2854 * upper layer to retransmit the packet.
2856 ipsec6stat.out_nosa++;
2861 /* validity check */
2862 if (isr->sav == NULL) {
2863 switch (ipsec_get_reqlevel(isr)) {
2864 case IPSEC_LEVEL_USE:
2866 case IPSEC_LEVEL_REQUIRE:
2867 /* must be not reached here. */
2868 panic("ipsec6_output_tunnel: no SA found, but required.");
2873 * If there is no valid SA, we give up to process.
2874 * see same place at ipsec4_output().
2876 if (isr->sav->state != SADB_SASTATE_MATURE
2877 && isr->sav->state != SADB_SASTATE_DYING) {
2878 ipsec6stat.out_nosa++;
2884 * There may be the case that SA status will be changed when
2885 * we are refering to one. So calling crit_enter().
2889 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2891 * build IPsec tunnel.
2893 /* XXX should be processed with other familiy */
2894 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) {
2895 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
2896 "family mismatched between inner and outer, spi=%u\n",
2897 (u_int32_t)ntohl(isr->sav->spi)));
2899 ipsec6stat.out_inval++;
2900 error = EAFNOSUPPORT;
2904 state->m = ipsec6_splithdr(state->m);
2907 ipsec6stat.out_nomem++;
2911 error = ipsec6_encapsulate(state->m, isr->sav);
2917 ip6 = mtod(state->m, struct ip6_hdr *);
2919 state->ro = &isr->sav->sah->sa_route;
2920 state->dst = (struct sockaddr *)&state->ro->ro_dst;
2921 dst6 = (struct sockaddr_in6 *)state->dst;
2922 if (state->ro->ro_rt
2923 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
2924 || !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst))) {
2925 RTFREE(state->ro->ro_rt);
2926 state->ro->ro_rt = NULL;
2928 if (state->ro->ro_rt == 0) {
2929 bzero(dst6, sizeof(*dst6));
2930 dst6->sin6_family = AF_INET6;
2931 dst6->sin6_len = sizeof(*dst6);
2932 dst6->sin6_addr = ip6->ip6_dst;
2935 if (state->ro->ro_rt == 0) {
2936 ip6stat.ip6s_noroute++;
2937 ipsec6stat.out_noroute++;
2938 error = EHOSTUNREACH;
2942 /* adjust state->dst if tunnel endpoint is offlink */
2943 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
2944 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
2945 dst6 = (struct sockaddr_in6 *)state->dst;
2950 state->m = ipsec6_splithdr(state->m);
2952 ipsec6stat.out_nomem++;
2956 ip6 = mtod(state->m, struct ip6_hdr *);
2957 switch (isr->saidx.proto) {
2960 error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr);
2967 error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr);
2969 case IPPROTO_IPCOMP:
2970 /* XXX code should be here */
2973 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
2974 "unknown ipsec protocol %d\n", isr->saidx.proto));
2976 ipsec6stat.out_inval++;
2984 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
2985 if (plen > IPV6_MAXPACKET) {
2986 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
2987 "IPsec with IPv6 jumbogram is not supported\n"));
2988 ipsec6stat.out_inval++;
2989 error = EINVAL; /* XXX */
2992 ip6 = mtod(state->m, struct ip6_hdr *);
2993 ip6->ip6_plen = htons(plen);
3007 * Chop IP header and option off from the payload.
3009 static struct mbuf *
3010 ipsec4_splithdr(struct mbuf *m)
3016 if (m->m_len < sizeof(struct ip))
3017 panic("ipsec4_splithdr: first mbuf too short");
3018 ip = mtod(m, struct ip *);
3020 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
3022 hlen = ip->ip_hl << 2;
3024 if (m->m_len > hlen) {
3025 MGETHDR(mh, MB_DONTWAIT, MT_HEADER);
3030 M_MOVE_PKTHDR(mh, m);
3037 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen);
3038 } else if (m->m_len < hlen) {
3039 m = m_pullup(m, hlen);
3048 static struct mbuf *
3049 ipsec6_splithdr(struct mbuf *m)
3052 struct ip6_hdr *ip6;
3055 if (m->m_len < sizeof(struct ip6_hdr))
3056 panic("ipsec6_splithdr: first mbuf too short");
3057 ip6 = mtod(m, struct ip6_hdr *);
3058 hlen = sizeof(struct ip6_hdr);
3059 if (m->m_len > hlen) {
3060 MGETHDR(mh, MB_DONTWAIT, MT_HEADER);
3065 M_MOVE_PKTHDR(mh, m);
3072 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
3073 } else if (m->m_len < hlen) {
3074 m = m_pullup(m, hlen);
3082 /* validate inbound IPsec tunnel packet. */
3084 ipsec4_tunnel_validate(struct mbuf *m, /* no pullup permitted, m->m_len >= ip */
3085 int off, u_int nxt0, struct secasvar *sav)
3087 u_int8_t nxt = nxt0 & 0xff;
3088 struct sockaddr_in *sin;
3089 struct sockaddr_in osrc, odst, isrc, idst;
3091 struct secpolicy *sp;
3095 if (m->m_len < sizeof(struct ip))
3096 panic("too short mbuf on ipsec4_tunnel_validate");
3098 if (nxt != IPPROTO_IPV4)
3100 if (m->m_pkthdr.len < off + sizeof(struct ip))
3102 /* do not decapsulate if the SA is for transport mode only */
3103 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3106 oip = mtod(m, struct ip *);
3108 hlen = _IP_VHL_HL(oip->ip_vhl) << 2;
3110 hlen = oip->ip_hl << 2;
3112 if (hlen != sizeof(struct ip))
3115 /* AF_INET6 should be supported, but at this moment we don't. */
3116 sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
3117 if (sin->sin_family != AF_INET)
3119 if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != 0)
3123 bzero(&osrc, sizeof(osrc));
3124 bzero(&odst, sizeof(odst));
3125 bzero(&isrc, sizeof(isrc));
3126 bzero(&idst, sizeof(idst));
3127 osrc.sin_family = odst.sin_family = isrc.sin_family = idst.sin_family =
3129 osrc.sin_len = odst.sin_len = isrc.sin_len = idst.sin_len =
3130 sizeof(struct sockaddr_in);
3131 osrc.sin_addr = oip->ip_src;
3132 odst.sin_addr = oip->ip_dst;
3133 m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(isrc.sin_addr),
3134 (caddr_t)&isrc.sin_addr);
3135 m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(idst.sin_addr),
3136 (caddr_t)&idst.sin_addr);
3139 * RFC2401 5.2.1 (b): (assume that we are using tunnel mode)
3140 * - if the inner destination is multicast address, there can be
3141 * multiple permissible inner source address. implementation
3142 * may want to skip verification of inner source address against
3144 * - if the inner protocol is ICMP, the packet may be an error report
3145 * from routers on the other side of the VPN cloud (R in the
3146 * following diagram). in this case, we cannot verify inner source
3147 * address against SPD selector.
3148 * me -- gw === gw -- R -- you
3150 * we consider the first bullet to be users responsibility on SPD entry
3151 * configuration (if you need to encrypt multicast traffic, set
3152 * the source range of SPD selector to 0.0.0.0/0, or have explicit
3153 * address ranges for possible senders).
3154 * the second bullet is not taken care of (yet).
3156 * therefore, we do not do anything special about inner source.
3159 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3160 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3169 /* validate inbound IPsec tunnel packet. */
3171 ipsec6_tunnel_validate(struct mbuf *m, /* no pullup permitted, m->m_len >= ip */
3172 int off, u_int nxt0, struct secasvar *sav)
3174 u_int8_t nxt = nxt0 & 0xff;
3175 struct sockaddr_in6 *sin6;
3176 struct sockaddr_in6 osrc, odst, isrc, idst;
3177 struct secpolicy *sp;
3178 struct ip6_hdr *oip6;
3181 if (m->m_len < sizeof(struct ip6_hdr))
3182 panic("too short mbuf on ipsec6_tunnel_validate");
3184 if (nxt != IPPROTO_IPV6)
3186 if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr))
3188 /* do not decapsulate if the SA is for transport mode only */
3189 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3192 oip6 = mtod(m, struct ip6_hdr *);
3193 /* AF_INET should be supported, but at this moment we don't. */
3194 sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst;
3195 if (sin6->sin6_family != AF_INET6)
3197 if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr))
3201 bzero(&osrc, sizeof(osrc));
3202 bzero(&odst, sizeof(odst));
3203 bzero(&isrc, sizeof(isrc));
3204 bzero(&idst, sizeof(idst));
3205 osrc.sin6_family = odst.sin6_family = isrc.sin6_family =
3206 idst.sin6_family = AF_INET6;
3207 osrc.sin6_len = odst.sin6_len = isrc.sin6_len = idst.sin6_len =
3208 sizeof(struct sockaddr_in6);
3209 osrc.sin6_addr = oip6->ip6_src;
3210 odst.sin6_addr = oip6->ip6_dst;
3211 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src),
3212 sizeof(isrc.sin6_addr), (caddr_t)&isrc.sin6_addr);
3213 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst),
3214 sizeof(idst.sin6_addr), (caddr_t)&idst.sin6_addr);
3217 * regarding to inner source address validation, see a long comment
3218 * in ipsec4_tunnel_validate.
3221 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3222 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3224 * when there is no suitable inbound policy for the packet of the ipsec
3225 * tunnel mode, the kernel never decapsulate the tunneled packet
3226 * as the ipsec tunnel mode even when the system wide policy is "none".
3227 * then the kernel leaves the generic tunnel module to process this
3228 * packet. if there is no rule of the generic tunnel, the packet
3229 * is rejected and the statistics will be counted up.
3240 * Make a mbuf chain for encryption.
3241 * If the original mbuf chain contains a mbuf with a cluster,
3242 * allocate a new cluster and copy the data to the new cluster.
3243 * XXX: this hack is inefficient, but is necessary to handle cases
3244 * of TCP retransmission...
3247 ipsec_copypkt(struct mbuf *m)
3249 struct mbuf *n, **mpp, *mnew;
3251 for (n = m, mpp = &m; n; n = n->m_next) {
3252 if (n->m_flags & M_EXT) {
3254 * Make a copy only if there are more than one
3255 * references to the cluster.
3256 * XXX: is this approach effective?
3258 if (m_sharecount(n) > 1) {
3262 if (n->m_flags & M_PKTHDR) {
3263 MGETHDR(mnew, MB_DONTWAIT, MT_HEADER);
3266 if (!m_dup_pkthdr(mnew, n, MB_DONTWAIT)) {
3272 MGET(mnew, MB_DONTWAIT, MT_DATA);
3280 * Copy data. If we don't have enough space to
3281 * store the whole data, allocate a cluster
3282 * or additional mbufs.
3283 * XXX: we don't use m_copyback(), since the
3284 * function does not use clusters and thus is
3293 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN))
3295 else { /* allocate a cluster */
3296 MCLGET(mm, MB_DONTWAIT);
3297 if (!(mm->m_flags & M_EXT)) {
3301 len = remain < MCLBYTES ?
3305 bcopy(n->m_data + copied, mm->m_data,
3312 if (remain <= 0) /* completed? */
3315 /* need another mbuf */
3316 MGETHDR(mn, MB_DONTWAIT, MT_HEADER);
3319 mn->m_pkthdr.rcvif = NULL;
3325 mm->m_next = m_free(n);
3344 ipsec_delaux(struct mbuf *m)
3348 while ((tag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL)) != NULL)
3349 m_tag_delete(m, tag);
3353 ipsec_addhist(struct mbuf *m, int proto, u_int32_t spi)
3356 struct ipsec_history *p;
3358 tag = m_tag_get(PACKET_TAG_IPSEC_HISTORY,
3359 sizeof (struct ipsec_history), MB_DONTWAIT);
3362 p = (struct ipsec_history *)m_tag_data(tag);
3363 bzero(p, sizeof(*p));
3364 p->ih_proto = proto;
3366 m_tag_prepend(m, tag);
3370 struct ipsec_history *
3371 ipsec_gethist(struct mbuf *m, int *lenp)
3375 tag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
3378 /* XXX NB: noone uses this so fake it */
3380 *lenp = sizeof (struct ipsec_history);
3381 return ((struct ipsec_history *)(tag+1));