1 /* $FreeBSD: src/sys/netinet6/ipsec.c,v 1.3.2.12 2003/05/06 06:46:58 suz Exp $ */
2 /* $DragonFly: src/sys/netinet6/ipsec.c,v 1.10 2005/02/08 22:56:19 hsu Exp $ */
3 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * IPsec controller part.
39 #include "opt_inet6.h"
40 #include "opt_ipsec.h"
42 #include <sys/param.h>
43 #include <sys/systm.h>
44 #include <sys/malloc.h>
46 #include <sys/domain.h>
47 #include <sys/protosw.h>
48 #include <sys/socket.h>
49 #include <sys/socketvar.h>
50 #include <sys/errno.h>
52 #include <sys/kernel.h>
53 #include <sys/syslog.h>
54 #include <sys/sysctl.h>
56 #include <sys/in_cksum.h>
59 #include <net/route.h>
61 #include <netinet/in.h>
62 #include <netinet/in_systm.h>
63 #include <netinet/ip.h>
64 #include <netinet/ip_var.h>
65 #include <netinet/in_var.h>
66 #include <netinet/udp.h>
67 #include <netinet/udp_var.h>
68 #include <netinet/ip_ecn.h>
70 #include <netinet6/ip6_ecn.h>
72 #include <netinet/tcp.h>
73 #include <netinet/udp.h>
75 #include <netinet/ip6.h>
77 #include <netinet6/ip6_var.h>
79 #include <netinet/in_pcb.h>
81 #include <netinet/icmp6.h>
84 #include <netinet6/ipsec.h>
86 #include <netinet6/ipsec6.h>
88 #include <netinet6/ah.h>
90 #include <netinet6/ah6.h>
93 #include <netinet6/esp.h>
95 #include <netinet6/esp6.h>
98 #include <netinet6/ipcomp.h>
100 #include <netinet6/ipcomp6.h>
102 #include <netproto/key/key.h>
103 #include <netproto/key/keydb.h>
104 #include <netproto/key/key_debug.h>
106 #include <net/net_osdep.h>
114 struct ipsecstat ipsecstat;
115 int ip4_ah_cleartos = 1;
116 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
117 int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */
118 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
119 int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
120 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
121 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
122 struct secpolicy ip4_def_policy;
123 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
124 int ip4_esp_randpad = -1;
127 SYSCTL_DECL(_net_inet_ipsec);
129 SYSCTL_DECL(_net_inet6_ipsec6);
134 SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS,
135 stats, CTLFLAG_RD, &ipsecstat, ipsecstat, "");
136 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY,
137 def_policy, CTLFLAG_RW, &ip4_def_policy.policy, 0, "");
138 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
139 CTLFLAG_RW, &ip4_esp_trans_deflev, 0, "");
140 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
141 CTLFLAG_RW, &ip4_esp_net_deflev, 0, "");
142 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
143 CTLFLAG_RW, &ip4_ah_trans_deflev, 0, "");
144 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
145 CTLFLAG_RW, &ip4_ah_net_deflev, 0, "");
146 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
147 ah_cleartos, CTLFLAG_RW, &ip4_ah_cleartos, 0, "");
148 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
149 ah_offsetmask, CTLFLAG_RW, &ip4_ah_offsetmask, 0, "");
150 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT,
151 dfbit, CTLFLAG_RW, &ip4_ipsec_dfbit, 0, "");
152 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN,
153 ecn, CTLFLAG_RW, &ip4_ipsec_ecn, 0, "");
154 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG,
155 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
156 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD,
157 esp_randpad, CTLFLAG_RW, &ip4_esp_randpad, 0, "");
160 struct ipsecstat ipsec6stat;
161 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
162 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
163 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
164 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
165 struct secpolicy ip6_def_policy;
166 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
167 int ip6_esp_randpad = -1;
169 /* net.inet6.ipsec6 */
170 SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
171 stats, CTLFLAG_RD, &ipsec6stat, ipsecstat, "");
172 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
173 def_policy, CTLFLAG_RW, &ip6_def_policy.policy, 0, "");
174 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
175 CTLFLAG_RW, &ip6_esp_trans_deflev, 0, "");
176 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
177 CTLFLAG_RW, &ip6_esp_net_deflev, 0, "");
178 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
179 CTLFLAG_RW, &ip6_ah_trans_deflev, 0, "");
180 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
181 CTLFLAG_RW, &ip6_ah_net_deflev, 0, "");
182 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
183 ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0, "");
184 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG,
185 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
186 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
187 esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, "");
190 static int ipsec_setspidx_mbuf
191 (struct secpolicyindex *, u_int, u_int, struct mbuf *, int);
192 static int ipsec4_setspidx_inpcb (struct mbuf *, struct inpcb *pcb);
194 static int ipsec6_setspidx_in6pcb (struct mbuf *, struct in6pcb *pcb);
196 static int ipsec_setspidx (struct mbuf *, struct secpolicyindex *, int);
197 static void ipsec4_get_ulp (struct mbuf *m, struct secpolicyindex *, int);
198 static int ipsec4_setspidx_ipaddr (struct mbuf *, struct secpolicyindex *);
200 static void ipsec6_get_ulp (struct mbuf *m, struct secpolicyindex *, int);
201 static int ipsec6_setspidx_ipaddr (struct mbuf *, struct secpolicyindex *);
203 static struct inpcbpolicy *ipsec_newpcbpolicy (void);
204 static void ipsec_delpcbpolicy (struct inpcbpolicy *);
205 static struct secpolicy *ipsec_deepcopy_policy (struct secpolicy *src);
206 static int ipsec_set_policy (struct secpolicy **pcb_sp,
207 int optname, caddr_t request, size_t len, int priv);
208 static int ipsec_get_policy (struct secpolicy *pcb_sp, struct mbuf **mp);
209 static void vshiftl (unsigned char *, int, int);
210 static int ipsec_in_reject (struct secpolicy *, struct mbuf *);
211 static size_t ipsec_hdrsiz (struct secpolicy *);
213 static struct mbuf *ipsec4_splithdr (struct mbuf *);
216 static struct mbuf *ipsec6_splithdr (struct mbuf *);
219 static int ipsec4_encapsulate (struct mbuf *, struct secasvar *);
222 static int ipsec6_encapsulate (struct mbuf *, struct secasvar *);
226 * For OUTBOUND packet having a socket. Searching SPD for packet,
227 * and return a pointer to SP.
228 * OUT: NULL: no apropreate SP found, the following value is set to error.
230 * EACCES : discard packet.
231 * ENOENT : ipsec_acquire() in progress, maybe.
232 * others : error occured.
233 * others: a pointer to SP
235 * NOTE: IPv6 mapped adddress concern is implemented here.
238 ipsec4_getpolicybysock(struct mbuf *m, u_int dir, struct socket *so, int *error)
240 struct inpcbpolicy *pcbsp = NULL;
241 struct secpolicy *currsp = NULL; /* policy on socket */
242 struct secpolicy *kernsp = NULL; /* policy on kernel */
245 if (m == NULL || so == NULL || error == NULL)
246 panic("ipsec4_getpolicybysock: NULL pointer was passed.");
248 switch (so->so_proto->pr_domain->dom_family) {
250 /* set spidx in pcb */
251 *error = ipsec4_setspidx_inpcb(m, so->so_pcb);
255 /* set spidx in pcb */
256 *error = ipsec6_setspidx_in6pcb(m, so->so_pcb);
260 panic("ipsec4_getpolicybysock: unsupported address family\n");
264 switch (so->so_proto->pr_domain->dom_family) {
266 pcbsp = sotoinpcb(so)->inp_sp;
270 pcbsp = sotoin6pcb(so)->in6p_sp;
277 panic("ipsec4_getpolicybysock: pcbsp is NULL.");
280 case IPSEC_DIR_INBOUND:
281 currsp = pcbsp->sp_in;
283 case IPSEC_DIR_OUTBOUND:
284 currsp = pcbsp->sp_out;
287 panic("ipsec4_getpolicybysock: illegal direction.");
292 panic("ipsec4_getpolicybysock: currsp is NULL.");
294 /* when privilieged socket */
296 switch (currsp->policy) {
297 case IPSEC_POLICY_BYPASS:
302 case IPSEC_POLICY_ENTRUST:
303 /* look for a policy in SPD */
304 kernsp = key_allocsp(&currsp->spidx, dir);
307 if (kernsp != NULL) {
308 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
309 printf("DP ipsec4_getpolicybysock called "
310 "to allocate SP:%p\n", kernsp));
316 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
317 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
319 "fixed system default policy: %d->%d\n",
320 ip4_def_policy.policy, IPSEC_POLICY_NONE));
321 ip4_def_policy.policy = IPSEC_POLICY_NONE;
323 ip4_def_policy.refcnt++;
325 return &ip4_def_policy;
327 case IPSEC_POLICY_IPSEC:
333 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
334 "Invalid policy for PCB %d\n", currsp->policy));
341 /* when non-privilieged socket */
342 /* look for a policy in SPD */
343 kernsp = key_allocsp(&currsp->spidx, dir);
346 if (kernsp != NULL) {
347 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
348 printf("DP ipsec4_getpolicybysock called "
349 "to allocate SP:%p\n", kernsp));
355 switch (currsp->policy) {
356 case IPSEC_POLICY_BYPASS:
357 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
358 "Illegal policy for non-priviliged defined %d\n",
363 case IPSEC_POLICY_ENTRUST:
364 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
365 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
367 "fixed system default policy: %d->%d\n",
368 ip4_def_policy.policy, IPSEC_POLICY_NONE));
369 ip4_def_policy.policy = IPSEC_POLICY_NONE;
371 ip4_def_policy.refcnt++;
373 return &ip4_def_policy;
375 case IPSEC_POLICY_IPSEC:
381 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
382 "Invalid policy for PCB %d\n", currsp->policy));
390 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
391 * and return a pointer to SP.
392 * OUT: positive: a pointer to the entry for security policy leaf matched.
393 * NULL: no apropreate SP found, the following value is set to error.
395 * EACCES : discard packet.
396 * ENOENT : ipsec_acquire() in progress, maybe.
397 * others : error occured.
400 ipsec4_getpolicybyaddr(struct mbuf *m, u_int dir, int flag, int *error)
402 struct secpolicy *sp = NULL;
405 if (m == NULL || error == NULL)
406 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.");
409 struct secpolicyindex spidx;
411 bzero(&spidx, sizeof(spidx));
413 /* make a index to look for a policy */
414 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET, m,
415 (flag & IP_FORWARDING) ? 0 : 1);
420 sp = key_allocsp(&spidx, dir);
425 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
426 printf("DP ipsec4_getpolicybyaddr called "
427 "to allocate SP:%p\n", sp));
433 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
434 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
435 ipseclog((LOG_INFO, "fixed system default policy:%d->%d\n",
436 ip4_def_policy.policy,
438 ip4_def_policy.policy = IPSEC_POLICY_NONE;
440 ip4_def_policy.refcnt++;
442 return &ip4_def_policy;
447 * For OUTBOUND packet having a socket. Searching SPD for packet,
448 * and return a pointer to SP.
449 * OUT: NULL: no apropreate SP found, the following value is set to error.
451 * EACCES : discard packet.
452 * ENOENT : ipsec_acquire() in progress, maybe.
453 * others : error occured.
454 * others: a pointer to SP
457 ipsec6_getpolicybysock(struct mbuf *m, u_int dir, struct socket *so, int *error)
459 struct inpcbpolicy *pcbsp = NULL;
460 struct secpolicy *currsp = NULL; /* policy on socket */
461 struct secpolicy *kernsp = NULL; /* policy on kernel */
464 if (m == NULL || so == NULL || error == NULL)
465 panic("ipsec6_getpolicybysock: NULL pointer was passed.");
468 if (so->so_proto->pr_domain->dom_family != AF_INET6)
469 panic("ipsec6_getpolicybysock: socket domain != inet6");
472 /* set spidx in pcb */
473 ipsec6_setspidx_in6pcb(m, so->so_pcb);
475 pcbsp = sotoin6pcb(so)->in6p_sp;
479 panic("ipsec6_getpolicybysock: pcbsp is NULL.");
482 case IPSEC_DIR_INBOUND:
483 currsp = pcbsp->sp_in;
485 case IPSEC_DIR_OUTBOUND:
486 currsp = pcbsp->sp_out;
489 panic("ipsec6_getpolicybysock: illegal direction.");
494 panic("ipsec6_getpolicybysock: currsp is NULL.");
496 /* when privilieged socket */
498 switch (currsp->policy) {
499 case IPSEC_POLICY_BYPASS:
504 case IPSEC_POLICY_ENTRUST:
505 /* look for a policy in SPD */
506 kernsp = key_allocsp(&currsp->spidx, dir);
509 if (kernsp != NULL) {
510 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
511 printf("DP ipsec6_getpolicybysock called "
512 "to allocate SP:%p\n", kernsp));
518 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
519 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
521 "fixed system default policy: %d->%d\n",
522 ip6_def_policy.policy, IPSEC_POLICY_NONE));
523 ip6_def_policy.policy = IPSEC_POLICY_NONE;
525 ip6_def_policy.refcnt++;
527 return &ip6_def_policy;
529 case IPSEC_POLICY_IPSEC:
535 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
536 "Invalid policy for PCB %d\n", currsp->policy));
543 /* when non-privilieged socket */
544 /* look for a policy in SPD */
545 kernsp = key_allocsp(&currsp->spidx, dir);
548 if (kernsp != NULL) {
549 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
550 printf("DP ipsec6_getpolicybysock called "
551 "to allocate SP:%p\n", kernsp));
557 switch (currsp->policy) {
558 case IPSEC_POLICY_BYPASS:
559 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
560 "Illegal policy for non-priviliged defined %d\n",
565 case IPSEC_POLICY_ENTRUST:
566 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
567 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
569 "fixed system default policy: %d->%d\n",
570 ip6_def_policy.policy, IPSEC_POLICY_NONE));
571 ip6_def_policy.policy = IPSEC_POLICY_NONE;
573 ip6_def_policy.refcnt++;
575 return &ip6_def_policy;
577 case IPSEC_POLICY_IPSEC:
584 "ipsec6_policybysock: Invalid policy for PCB %d\n",
593 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
594 * and return a pointer to SP.
595 * `flag' means that packet is to be forwarded whether or not.
597 * OUT: positive: a pointer to the entry for security policy leaf matched.
598 * NULL: no apropreate SP found, the following value is set to error.
600 * EACCES : discard packet.
601 * ENOENT : ipsec_acquire() in progress, maybe.
602 * others : error occured.
604 #ifndef IP_FORWARDING
605 #define IP_FORWARDING 1
609 ipsec6_getpolicybyaddr(struct mbuf *m, u_int dir, int flag, int *error)
611 struct secpolicy *sp = NULL;
614 if (m == NULL || error == NULL)
615 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.");
618 struct secpolicyindex spidx;
620 bzero(&spidx, sizeof(spidx));
622 /* make a index to look for a policy */
623 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET6, m,
624 (flag & IP_FORWARDING) ? 0 : 1);
629 sp = key_allocsp(&spidx, dir);
634 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
635 printf("DP ipsec6_getpolicybyaddr called "
636 "to allocate SP:%p\n", sp));
642 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
643 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
644 ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n",
645 ip6_def_policy.policy, IPSEC_POLICY_NONE));
646 ip6_def_policy.policy = IPSEC_POLICY_NONE;
648 ip6_def_policy.refcnt++;
650 return &ip6_def_policy;
655 * set IP address into spidx from mbuf.
656 * When Forwarding packet and ICMP echo reply, this function is used.
658 * IN: get the followings from mbuf.
659 * protocol family, src, dst, next protocol
662 * other: failure, and set errno.
665 ipsec_setspidx_mbuf(struct secpolicyindex *spidx, u_int dir, u_int family,
666 struct mbuf *m, int needport)
671 if (spidx == NULL || m == NULL)
672 panic("ipsec_setspidx_mbuf: NULL pointer was passed.");
674 bzero(spidx, sizeof(*spidx));
676 error = ipsec_setspidx(m, spidx, needport);
685 bzero(spidx, sizeof(*spidx));
690 ipsec4_setspidx_inpcb(struct mbuf *m, struct inpcb *pcb)
692 struct secpolicyindex *spidx;
697 panic("ipsec4_setspidx_inpcb: no PCB found.");
698 if (pcb->inp_sp == NULL)
699 panic("ipsec4_setspidx_inpcb: no inp_sp found.");
700 if (pcb->inp_sp->sp_out == NULL || pcb->inp_sp->sp_in == NULL)
701 panic("ipsec4_setspidx_inpcb: no sp_in/out found.");
703 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx));
704 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx));
706 spidx = &pcb->inp_sp->sp_in->spidx;
707 error = ipsec_setspidx(m, spidx, 1);
710 spidx->dir = IPSEC_DIR_INBOUND;
712 spidx = &pcb->inp_sp->sp_out->spidx;
713 error = ipsec_setspidx(m, spidx, 1);
716 spidx->dir = IPSEC_DIR_OUTBOUND;
721 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx));
722 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx));
728 ipsec6_setspidx_in6pcb(struct mbuf *m, struct in6pcb *pcb)
730 struct secpolicyindex *spidx;
735 panic("ipsec6_setspidx_in6pcb: no PCB found.");
736 if (pcb->in6p_sp == NULL)
737 panic("ipsec6_setspidx_in6pcb: no in6p_sp found.");
738 if (pcb->in6p_sp->sp_out == NULL || pcb->in6p_sp->sp_in == NULL)
739 panic("ipsec6_setspidx_in6pcb: no sp_in/out found.");
741 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
742 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
744 spidx = &pcb->in6p_sp->sp_in->spidx;
745 error = ipsec_setspidx(m, spidx, 1);
748 spidx->dir = IPSEC_DIR_INBOUND;
750 spidx = &pcb->in6p_sp->sp_out->spidx;
751 error = ipsec_setspidx(m, spidx, 1);
754 spidx->dir = IPSEC_DIR_OUTBOUND;
759 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
760 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
766 * configure security policy index (src/dst/proto/sport/dport)
767 * by looking at the content of mbuf.
768 * the caller is responsible for error recovery (like clearing up spidx).
771 ipsec_setspidx(struct mbuf *m, struct secpolicyindex *spidx, int needport)
773 struct ip *ip = NULL;
781 panic("ipsec_setspidx: m == 0 passed.");
784 * validate m->m_pkthdr.len. we see incorrect length if we
785 * mistakenly call this function with inconsistent mbuf chain
786 * (like 4.4BSD tcp/udp processing). XXX should we panic here?
789 for (n = m; n; n = n->m_next)
791 if (m->m_pkthdr.len != len) {
792 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
793 printf("ipsec_setspidx: "
794 "total of m_len(%d) != pkthdr.len(%d), "
796 len, m->m_pkthdr.len));
800 if (m->m_pkthdr.len < sizeof(struct ip)) {
801 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
802 printf("ipsec_setspidx: "
803 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
808 if (m->m_len >= sizeof(*ip))
809 ip = mtod(m, struct ip *);
811 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
815 v = _IP_VHL_V(ip->ip_vhl);
821 error = ipsec4_setspidx_ipaddr(m, spidx);
824 ipsec4_get_ulp(m, spidx, needport);
828 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
829 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
830 printf("ipsec_setspidx: "
831 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
832 "ignored.\n", m->m_pkthdr.len));
835 error = ipsec6_setspidx_ipaddr(m, spidx);
838 ipsec6_get_ulp(m, spidx, needport);
842 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
843 printf("ipsec_setspidx: "
844 "unknown IP version %u, ignored.\n", v));
850 ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
861 panic("ipsec4_get_ulp: NULL pointer was passed.");
862 if (m->m_pkthdr.len < sizeof(ip))
863 panic("ipsec4_get_ulp: too short");
866 spidx->ul_proto = IPSEC_ULPROTO_ANY;
867 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY;
868 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY;
870 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip);
871 /* ip_input() flips it into host endian XXX need more checking */
872 if (ip.ip_off & (IP_MF | IP_OFFMASK))
877 off = _IP_VHL_HL(ip->ip_vhl) << 2;
881 while (off < m->m_pkthdr.len) {
884 spidx->ul_proto = nxt;
887 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
889 m_copydata(m, off, sizeof(th), (caddr_t)&th);
890 ((struct sockaddr_in *)&spidx->src)->sin_port =
892 ((struct sockaddr_in *)&spidx->dst)->sin_port =
896 spidx->ul_proto = nxt;
899 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
901 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
902 ((struct sockaddr_in *)&spidx->src)->sin_port =
904 ((struct sockaddr_in *)&spidx->dst)->sin_port =
908 if (m->m_pkthdr.len > off + sizeof(ip6e))
910 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
911 off += (ip6e.ip6e_len + 2) << 2;
916 /* XXX intermediate headers??? */
917 spidx->ul_proto = nxt;
923 /* assumes that m is sane */
925 ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
927 struct ip *ip = NULL;
929 struct sockaddr_in *sin;
931 if (m->m_len >= sizeof(*ip))
932 ip = mtod(m, struct ip *);
934 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
938 sin = (struct sockaddr_in *)&spidx->src;
939 bzero(sin, sizeof(*sin));
940 sin->sin_family = AF_INET;
941 sin->sin_len = sizeof(struct sockaddr_in);
942 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src));
943 spidx->prefs = sizeof(struct in_addr) << 3;
945 sin = (struct sockaddr_in *)&spidx->dst;
946 bzero(sin, sizeof(*sin));
947 sin->sin_family = AF_INET;
948 sin->sin_len = sizeof(struct sockaddr_in);
949 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst));
950 spidx->prefd = sizeof(struct in_addr) << 3;
956 ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
964 panic("ipsec6_get_ulp: NULL pointer was passed.");
966 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
967 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m));
970 spidx->ul_proto = IPSEC_ULPROTO_ANY;
971 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
972 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
975 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
976 if (off < 0 || m->m_pkthdr.len < off)
981 spidx->ul_proto = nxt;
984 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
986 m_copydata(m, off, sizeof(th), (caddr_t)&th);
987 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
988 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
991 spidx->ul_proto = nxt;
994 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
996 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
997 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
998 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
1000 case IPPROTO_ICMPV6:
1002 /* XXX intermediate headers??? */
1003 spidx->ul_proto = nxt;
1008 /* assumes that m is sane */
1010 ipsec6_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
1012 struct ip6_hdr *ip6 = NULL;
1013 struct ip6_hdr ip6buf;
1014 struct sockaddr_in6 *sin6;
1016 if (m->m_len >= sizeof(*ip6))
1017 ip6 = mtod(m, struct ip6_hdr *);
1019 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
1023 sin6 = (struct sockaddr_in6 *)&spidx->src;
1024 bzero(sin6, sizeof(*sin6));
1025 sin6->sin6_family = AF_INET6;
1026 sin6->sin6_len = sizeof(struct sockaddr_in6);
1027 bcopy(&ip6->ip6_src, &sin6->sin6_addr, sizeof(ip6->ip6_src));
1028 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
1029 sin6->sin6_addr.s6_addr16[1] = 0;
1030 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
1032 spidx->prefs = sizeof(struct in6_addr) << 3;
1034 sin6 = (struct sockaddr_in6 *)&spidx->dst;
1035 bzero(sin6, sizeof(*sin6));
1036 sin6->sin6_family = AF_INET6;
1037 sin6->sin6_len = sizeof(struct sockaddr_in6);
1038 bcopy(&ip6->ip6_dst, &sin6->sin6_addr, sizeof(ip6->ip6_dst));
1039 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
1040 sin6->sin6_addr.s6_addr16[1] = 0;
1041 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
1043 spidx->prefd = sizeof(struct in6_addr) << 3;
1049 static struct inpcbpolicy *
1050 ipsec_newpcbpolicy(void)
1052 struct inpcbpolicy *p;
1054 p = (struct inpcbpolicy *)malloc(sizeof(*p), M_SECA, M_NOWAIT);
1059 ipsec_delpcbpolicy(struct inpcbpolicy *p)
1064 /* initialize policy in PCB */
1066 ipsec_init_policy(struct socket *so, struct inpcbpolicy **pcb_sp)
1068 struct inpcbpolicy *new;
1071 if (so == NULL || pcb_sp == NULL)
1072 panic("ipsec_init_policy: NULL pointer was passed.");
1074 new = ipsec_newpcbpolicy();
1076 ipseclog((LOG_DEBUG, "ipsec_init_policy: No more memory.\n"));
1079 bzero(new, sizeof(*new));
1081 if (so->so_cred != 0 && so->so_cred->cr_uid == 0)
1086 if ((new->sp_in = key_newsp()) == NULL) {
1087 ipsec_delpcbpolicy(new);
1090 new->sp_in->state = IPSEC_SPSTATE_ALIVE;
1091 new->sp_in->policy = IPSEC_POLICY_ENTRUST;
1093 if ((new->sp_out = key_newsp()) == NULL) {
1094 key_freesp(new->sp_in);
1095 ipsec_delpcbpolicy(new);
1098 new->sp_out->state = IPSEC_SPSTATE_ALIVE;
1099 new->sp_out->policy = IPSEC_POLICY_ENTRUST;
1106 /* copy old ipsec policy into new */
1108 ipsec_copy_policy(struct inpcbpolicy *old, struct inpcbpolicy *new)
1110 struct secpolicy *sp;
1112 sp = ipsec_deepcopy_policy(old->sp_in);
1114 key_freesp(new->sp_in);
1119 sp = ipsec_deepcopy_policy(old->sp_out);
1121 key_freesp(new->sp_out);
1126 new->priv = old->priv;
1131 /* deep-copy a policy in PCB */
1132 static struct secpolicy *
1133 ipsec_deepcopy_policy(struct secpolicy *src)
1135 struct ipsecrequest *newchain = NULL;
1136 struct ipsecrequest *p;
1137 struct ipsecrequest **q;
1138 struct ipsecrequest *r;
1139 struct secpolicy *dst;
1142 if (src == NULL || dst == NULL)
1146 * deep-copy IPsec request chain. This is required since struct
1147 * ipsecrequest is not reference counted.
1150 for (p = src->req; p; p = p->next) {
1151 *q = (struct ipsecrequest *)malloc(sizeof(struct ipsecrequest),
1155 bzero(*q, sizeof(**q));
1158 (*q)->saidx.proto = p->saidx.proto;
1159 (*q)->saidx.mode = p->saidx.mode;
1160 (*q)->level = p->level;
1161 (*q)->saidx.reqid = p->saidx.reqid;
1163 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
1164 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
1172 dst->req = newchain;
1173 dst->state = src->state;
1174 dst->policy = src->policy;
1175 /* do not touch the refcnt fields */
1180 for (p = newchain; p; p = r) {
1188 /* set policy and ipsec request if present. */
1190 ipsec_set_policy(struct secpolicy **pcb_sp, int optname, caddr_t request,
1191 size_t len, int priv)
1193 struct sadb_x_policy *xpl;
1194 struct secpolicy *newsp = NULL;
1198 if (pcb_sp == NULL || *pcb_sp == NULL || request == NULL)
1200 if (len < sizeof(*xpl))
1202 xpl = (struct sadb_x_policy *)request;
1204 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1205 printf("ipsec_set_policy: passed policy\n");
1206 kdebug_sadb_x_policy((struct sadb_ext *)xpl));
1208 /* check policy type */
1209 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1210 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD
1211 || xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
1214 /* check privileged socket */
1215 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS)
1218 /* allocation new SP entry */
1219 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
1222 newsp->state = IPSEC_SPSTATE_ALIVE;
1224 /* clear old SP and set new SP */
1225 key_freesp(*pcb_sp);
1227 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1228 printf("ipsec_set_policy: new policy\n");
1229 kdebug_secpolicy(newsp));
1235 ipsec_get_policy(struct secpolicy *pcb_sp, struct mbuf **mp)
1239 if (pcb_sp == NULL || mp == NULL)
1242 *mp = key_sp2msg(pcb_sp);
1244 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n"));
1248 (*mp)->m_type = MT_DATA;
1249 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1250 printf("ipsec_get_policy:\n");
1257 ipsec4_set_policy(struct inpcb *inp, int optname, caddr_t request, size_t len,
1260 struct sadb_x_policy *xpl;
1261 struct secpolicy **pcb_sp;
1264 if (inp == NULL || request == NULL)
1266 if (len < sizeof(*xpl))
1268 xpl = (struct sadb_x_policy *)request;
1270 /* select direction */
1271 switch (xpl->sadb_x_policy_dir) {
1272 case IPSEC_DIR_INBOUND:
1273 pcb_sp = &inp->inp_sp->sp_in;
1275 case IPSEC_DIR_OUTBOUND:
1276 pcb_sp = &inp->inp_sp->sp_out;
1279 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1280 xpl->sadb_x_policy_dir));
1284 return ipsec_set_policy(pcb_sp, optname, request, len, priv);
1288 ipsec4_get_policy(struct inpcb *inp, caddr_t request, size_t len,
1291 struct sadb_x_policy *xpl;
1292 struct secpolicy *pcb_sp;
1295 if (inp == NULL || request == NULL || mp == NULL)
1297 if (inp->inp_sp == NULL)
1298 panic("policy in PCB is NULL");
1299 if (len < sizeof(*xpl))
1301 xpl = (struct sadb_x_policy *)request;
1303 /* select direction */
1304 switch (xpl->sadb_x_policy_dir) {
1305 case IPSEC_DIR_INBOUND:
1306 pcb_sp = inp->inp_sp->sp_in;
1308 case IPSEC_DIR_OUTBOUND:
1309 pcb_sp = inp->inp_sp->sp_out;
1312 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1313 xpl->sadb_x_policy_dir));
1317 return ipsec_get_policy(pcb_sp, mp);
1320 /* delete policy in PCB */
1322 ipsec4_delete_pcbpolicy(struct inpcb *inp)
1326 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.");
1328 if (inp->inp_sp == NULL)
1331 if (inp->inp_sp->sp_in != NULL) {
1332 key_freesp(inp->inp_sp->sp_in);
1333 inp->inp_sp->sp_in = NULL;
1336 if (inp->inp_sp->sp_out != NULL) {
1337 key_freesp(inp->inp_sp->sp_out);
1338 inp->inp_sp->sp_out = NULL;
1341 ipsec_delpcbpolicy(inp->inp_sp);
1349 ipsec6_set_policy(struct in6pcb *in6p, int optname, caddr_t request, size_t len,
1352 struct sadb_x_policy *xpl;
1353 struct secpolicy **pcb_sp;
1356 if (in6p == NULL || request == NULL)
1358 if (len < sizeof(*xpl))
1360 xpl = (struct sadb_x_policy *)request;
1362 /* select direction */
1363 switch (xpl->sadb_x_policy_dir) {
1364 case IPSEC_DIR_INBOUND:
1365 pcb_sp = &in6p->in6p_sp->sp_in;
1367 case IPSEC_DIR_OUTBOUND:
1368 pcb_sp = &in6p->in6p_sp->sp_out;
1371 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1372 xpl->sadb_x_policy_dir));
1376 return ipsec_set_policy(pcb_sp, optname, request, len, priv);
1380 ipsec6_get_policy(struct in6pcb *in6p, caddr_t request, size_t len,
1383 struct sadb_x_policy *xpl;
1384 struct secpolicy *pcb_sp;
1387 if (in6p == NULL || request == NULL || mp == NULL)
1389 if (in6p->in6p_sp == NULL)
1390 panic("policy in PCB is NULL");
1391 if (len < sizeof(*xpl))
1393 xpl = (struct sadb_x_policy *)request;
1395 /* select direction */
1396 switch (xpl->sadb_x_policy_dir) {
1397 case IPSEC_DIR_INBOUND:
1398 pcb_sp = in6p->in6p_sp->sp_in;
1400 case IPSEC_DIR_OUTBOUND:
1401 pcb_sp = in6p->in6p_sp->sp_out;
1404 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1405 xpl->sadb_x_policy_dir));
1409 return ipsec_get_policy(pcb_sp, mp);
1413 ipsec6_delete_pcbpolicy(struct in6pcb *in6p)
1417 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.");
1419 if (in6p->in6p_sp == NULL)
1422 if (in6p->in6p_sp->sp_in != NULL) {
1423 key_freesp(in6p->in6p_sp->sp_in);
1424 in6p->in6p_sp->sp_in = NULL;
1427 if (in6p->in6p_sp->sp_out != NULL) {
1428 key_freesp(in6p->in6p_sp->sp_out);
1429 in6p->in6p_sp->sp_out = NULL;
1432 ipsec_delpcbpolicy(in6p->in6p_sp);
1433 in6p->in6p_sp = NULL;
1440 * return current level.
1441 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1444 ipsec_get_reqlevel(struct ipsecrequest *isr)
1447 u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev;
1450 if (isr == NULL || isr->sp == NULL)
1451 panic("ipsec_get_reqlevel: NULL pointer is passed.");
1452 if (((struct sockaddr *)&isr->sp->spidx.src)->sa_family
1453 != ((struct sockaddr *)&isr->sp->spidx.dst)->sa_family)
1454 panic("ipsec_get_reqlevel: family mismatched.");
1456 /* XXX note that we have ipseclog() expanded here - code sync issue */
1457 #define IPSEC_CHECK_DEFAULT(lev) \
1458 (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \
1459 && (lev) != IPSEC_LEVEL_UNIQUE) \
1461 ? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\
1462 (lev), IPSEC_LEVEL_REQUIRE) \
1464 (lev) = IPSEC_LEVEL_REQUIRE, \
1468 /* set default level */
1469 switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) {
1472 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev);
1473 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev);
1474 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev);
1475 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev);
1480 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev);
1481 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev);
1482 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev);
1483 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev);
1487 panic("key_get_reqlevel: Unknown family. %d",
1488 ((struct sockaddr *)&isr->sp->spidx.src)->sa_family);
1491 #undef IPSEC_CHECK_DEFAULT
1494 switch (isr->level) {
1495 case IPSEC_LEVEL_DEFAULT:
1496 switch (isr->saidx.proto) {
1498 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1499 level = esp_net_deflev;
1501 level = esp_trans_deflev;
1504 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1505 level = ah_net_deflev;
1507 level = ah_trans_deflev;
1508 case IPPROTO_IPCOMP:
1510 * we don't really care, as IPcomp document says that
1511 * we shouldn't compress small packets
1513 level = IPSEC_LEVEL_USE;
1516 panic("ipsec_get_reqlevel: "
1517 "Illegal protocol defined %u",
1522 case IPSEC_LEVEL_USE:
1523 case IPSEC_LEVEL_REQUIRE:
1526 case IPSEC_LEVEL_UNIQUE:
1527 level = IPSEC_LEVEL_REQUIRE;
1531 panic("ipsec_get_reqlevel: Illegal IPsec level %u",
1539 * Check AH/ESP integrity.
1545 ipsec_in_reject(struct secpolicy *sp, struct mbuf *m)
1547 struct ipsecrequest *isr;
1549 int need_auth, need_conf, need_icv;
1551 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1552 printf("ipsec_in_reject: using SP\n");
1553 kdebug_secpolicy(sp));
1556 switch (sp->policy) {
1557 case IPSEC_POLICY_DISCARD:
1559 case IPSEC_POLICY_BYPASS:
1560 case IPSEC_POLICY_NONE:
1563 case IPSEC_POLICY_IPSEC:
1566 case IPSEC_POLICY_ENTRUST:
1568 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy);
1575 /* XXX should compare policy against ipsec header history */
1577 for (isr = sp->req; isr != NULL; isr = isr->next) {
1579 /* get current level */
1580 level = ipsec_get_reqlevel(isr);
1582 switch (isr->saidx.proto) {
1584 if (level == IPSEC_LEVEL_REQUIRE) {
1587 if (isr->sav != NULL
1588 && isr->sav->flags == SADB_X_EXT_NONE
1589 && isr->sav->alg_auth != SADB_AALG_NONE)
1594 if (level == IPSEC_LEVEL_REQUIRE) {
1599 case IPPROTO_IPCOMP:
1601 * we don't really care, as IPcomp document says that
1602 * we shouldn't compress small packets, IPComp policy
1603 * should always be treated as being in "use" level.
1609 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1610 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
1611 need_auth, need_conf, need_icv, m->m_flags));
1613 if ((need_conf && !(m->m_flags & M_DECRYPTED))
1614 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM))
1615 || (need_auth && !(m->m_flags & M_AUTHIPHDR)))
1622 * Check AH/ESP integrity.
1623 * This function is called from tcp_input(), udp_input(),
1624 * and {ah,esp}4_input for tunnel mode
1627 ipsec4_in_reject_so(struct mbuf *m, struct socket *so)
1629 struct secpolicy *sp = NULL;
1635 return 0; /* XXX should be panic ? */
1637 /* get SP for this packet.
1638 * When we are called from ip_forward(), we call
1639 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1642 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1644 sp = ipsec4_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1647 return 0; /* XXX should be panic ?
1648 * -> No, there may be error. */
1650 result = ipsec_in_reject(sp, m);
1651 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1652 printf("DP ipsec4_in_reject_so call free SP:%p\n", sp));
1659 ipsec4_in_reject(struct mbuf *m, struct inpcb *inp)
1662 return ipsec4_in_reject_so(m, NULL);
1663 if (inp->inp_socket)
1664 return ipsec4_in_reject_so(m, inp->inp_socket);
1666 panic("ipsec4_in_reject: invalid inpcb/socket");
1671 * Check AH/ESP integrity.
1672 * This function is called from tcp6_input(), udp6_input(),
1673 * and {ah,esp}6_input for tunnel mode
1676 ipsec6_in_reject_so(struct mbuf *m, struct socket *so)
1678 struct secpolicy *sp = NULL;
1684 return 0; /* XXX should be panic ? */
1686 /* get SP for this packet.
1687 * When we are called from ip_forward(), we call
1688 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
1691 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1693 sp = ipsec6_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1696 return 0; /* XXX should be panic ? */
1698 result = ipsec_in_reject(sp, m);
1699 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1700 printf("DP ipsec6_in_reject_so call free SP:%p\n", sp));
1707 ipsec6_in_reject(struct mbuf *m, struct in6pcb *in6p)
1710 return ipsec6_in_reject_so(m, NULL);
1711 if (in6p->in6p_socket)
1712 return ipsec6_in_reject_so(m, in6p->in6p_socket);
1714 panic("ipsec6_in_reject: invalid in6p/socket");
1719 * compute the byte size to be occupied by IPsec header.
1720 * in case it is tunneled, it includes the size of outer IP header.
1721 * NOTE: SP passed is free in this function.
1724 ipsec_hdrsiz(struct secpolicy *sp)
1726 struct ipsecrequest *isr;
1729 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1730 printf("ipsec_hdrsiz: using SP\n");
1731 kdebug_secpolicy(sp));
1734 switch (sp->policy) {
1735 case IPSEC_POLICY_DISCARD:
1736 case IPSEC_POLICY_BYPASS:
1737 case IPSEC_POLICY_NONE:
1740 case IPSEC_POLICY_IPSEC:
1743 case IPSEC_POLICY_ENTRUST:
1745 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy);
1750 for (isr = sp->req; isr != NULL; isr = isr->next) {
1754 switch (isr->saidx.proto) {
1757 clen = esp_hdrsiz(isr);
1763 clen = ah_hdrsiz(isr);
1765 case IPPROTO_IPCOMP:
1766 clen = sizeof(struct ipcomp);
1770 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
1771 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) {
1773 clen += sizeof(struct ip);
1777 clen += sizeof(struct ip6_hdr);
1781 ipseclog((LOG_ERR, "ipsec_hdrsiz: "
1782 "unknown AF %d in IPsec tunnel SA\n",
1783 ((struct sockaddr *)&isr->saidx.dst)->sa_family));
1793 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
1795 ipsec4_hdrsiz(struct mbuf *m, u_int dir, struct inpcb *inp)
1797 struct secpolicy *sp = NULL;
1803 return 0; /* XXX should be panic ? */
1804 if (inp != NULL && inp->inp_socket == NULL)
1805 panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
1807 /* get SP for this packet.
1808 * When we are called from ip_forward(), we call
1809 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1812 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1814 sp = ipsec4_getpolicybysock(m, dir, inp->inp_socket, &error);
1817 return 0; /* XXX should be panic ? */
1819 size = ipsec_hdrsiz(sp);
1820 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1821 printf("DP ipsec4_hdrsiz call free SP:%p\n", sp));
1822 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1823 printf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size));
1830 /* This function is called from ipsec6_hdrsize_tcp(),
1831 * and maybe from ip6_forward.()
1834 ipsec6_hdrsiz(struct mbuf *m, u_int dir, struct in6pcb *in6p)
1836 struct secpolicy *sp = NULL;
1842 return 0; /* XXX shoud be panic ? */
1843 if (in6p != NULL && in6p->in6p_socket == NULL)
1844 panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
1846 /* get SP for this packet */
1847 /* XXX Is it right to call with IP_FORWARDING. */
1849 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1851 sp = ipsec6_getpolicybysock(m, dir, in6p->in6p_socket, &error);
1855 size = ipsec_hdrsiz(sp);
1856 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1857 printf("DP ipsec6_hdrsiz call free SP:%p\n", sp));
1858 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1859 printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size));
1868 * encapsulate for ipsec tunnel.
1869 * ip->ip_src must be fixed later on.
1872 ipsec4_encapsulate(struct mbuf *m, struct secasvar *sav)
1879 /* can't tunnel between different AFs */
1880 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
1881 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
1882 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
1887 /* XXX if the dst is myself, perform nothing. */
1888 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
1894 if (m->m_len < sizeof(*ip))
1895 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
1897 ip = mtod(m, struct ip *);
1899 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
1901 hlen = ip->ip_hl << 2;
1904 if (m->m_len != hlen)
1905 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
1907 /* generate header checksum */
1910 if (ip->ip_vhl == IP_VHL_BORING)
1911 ip->ip_sum = in_cksum_hdr(ip);
1913 ip->ip_sum = in_cksum(m, hlen);
1915 ip->ip_sum = in_cksum(m, hlen);
1918 plen = m->m_pkthdr.len;
1921 * grow the mbuf to accomodate the new IPv4 header.
1922 * NOTE: IPv4 options will never be copied.
1924 if (M_LEADINGSPACE(m->m_next) < hlen) {
1926 MGET(n, MB_DONTWAIT, MT_DATA);
1932 n->m_next = m->m_next;
1934 m->m_pkthdr.len += hlen;
1935 oip = mtod(n, struct ip *);
1937 m->m_next->m_len += hlen;
1938 m->m_next->m_data -= hlen;
1939 m->m_pkthdr.len += hlen;
1940 oip = mtod(m->m_next, struct ip *);
1942 ip = mtod(m, struct ip *);
1943 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
1944 m->m_len = sizeof(struct ip);
1945 m->m_pkthdr.len -= (hlen - sizeof(struct ip));
1947 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
1948 /* ECN consideration. */
1949 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
1951 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2);
1953 ip->ip_hl = sizeof(struct ip) >> 2;
1955 ip->ip_off &= htons(~IP_OFFMASK);
1956 ip->ip_off &= htons(~IP_MF);
1957 switch (ip4_ipsec_dfbit) {
1958 case 0: /* clear DF bit */
1959 ip->ip_off &= htons(~IP_DF);
1961 case 1: /* set DF bit */
1962 ip->ip_off |= htons(IP_DF);
1964 default: /* copy DF bit */
1967 ip->ip_p = IPPROTO_IPIP;
1968 if (plen + sizeof(struct ip) < IP_MAXPACKET)
1969 ip->ip_len = htons(plen + sizeof(struct ip));
1971 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
1972 "leave ip_len as is (invalid packet)\n"));
1975 ip->ip_id = ip_randomid();
1977 ip->ip_id = htons(ip_id++);
1979 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
1980 &ip->ip_src, sizeof(ip->ip_src));
1981 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
1982 &ip->ip_dst, sizeof(ip->ip_dst));
1983 ip->ip_ttl = IPDEFTTL;
1985 /* XXX Should ip_src be updated later ? */
1993 ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav)
1995 struct ip6_hdr *oip6;
1996 struct ip6_hdr *ip6;
1999 /* can't tunnel between different AFs */
2000 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2001 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2002 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2007 /* XXX if the dst is myself, perform nothing. */
2008 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2014 plen = m->m_pkthdr.len;
2017 * grow the mbuf to accomodate the new IPv6 header.
2019 if (m->m_len != sizeof(struct ip6_hdr))
2020 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2021 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
2023 MGET(n, MB_DONTWAIT, MT_DATA);
2028 n->m_len = sizeof(struct ip6_hdr);
2029 n->m_next = m->m_next;
2031 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2032 oip6 = mtod(n, struct ip6_hdr *);
2034 m->m_next->m_len += sizeof(struct ip6_hdr);
2035 m->m_next->m_data -= sizeof(struct ip6_hdr);
2036 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2037 oip6 = mtod(m->m_next, struct ip6_hdr *);
2039 ip6 = mtod(m, struct ip6_hdr *);
2040 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
2042 /* Fake link-local scope-class addresses */
2043 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_src))
2044 oip6->ip6_src.s6_addr16[1] = 0;
2045 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_dst))
2046 oip6->ip6_dst.s6_addr16[1] = 0;
2048 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
2049 /* ECN consideration. */
2050 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
2051 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
2052 ip6->ip6_plen = htons(plen);
2054 /* ip6->ip6_plen will be updated in ip6_output() */
2056 ip6->ip6_nxt = IPPROTO_IPV6;
2057 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr,
2058 &ip6->ip6_src, sizeof(ip6->ip6_src));
2059 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr,
2060 &ip6->ip6_dst, sizeof(ip6->ip6_dst));
2061 ip6->ip6_hlim = IPV6_DEFHLIM;
2063 /* XXX Should ip6_src be updated later ? */
2070 * Check the variable replay window.
2071 * ipsec_chkreplay() performs replay check before ICV verification.
2072 * ipsec_updatereplay() updates replay bitmap. This must be called after
2073 * ICV verification (it also performs replay check, which is usually done
2075 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
2077 * based on RFC 2401.
2080 ipsec_chkreplay(u_int32_t seq, struct secasvar *sav)
2082 const struct secreplay *replay;
2085 u_int32_t wsizeb; /* constant: bits of window size */
2086 int frlast; /* constant: last frame */
2090 panic("ipsec_chkreplay: NULL pointer was passed.");
2092 replay = sav->replay;
2094 if (replay->wsize == 0)
2095 return 1; /* no need to check replay. */
2098 frlast = replay->wsize - 1;
2099 wsizeb = replay->wsize << 3;
2101 /* sequence number of 0 is invalid */
2105 /* first time is always okay */
2106 if (replay->count == 0)
2109 if (seq > replay->lastseq) {
2110 /* larger sequences are okay */
2113 /* seq is equal or less than lastseq. */
2114 diff = replay->lastseq - seq;
2116 /* over range to check, i.e. too old or wrapped */
2120 fr = frlast - diff / 8;
2122 /* this packet already seen ? */
2123 if ((replay->bitmap)[fr] & (1 << (diff % 8)))
2126 /* out of order but good */
2132 * check replay counter whether to update or not.
2137 ipsec_updatereplay(u_int32_t seq, struct secasvar *sav)
2139 struct secreplay *replay;
2142 u_int32_t wsizeb; /* constant: bits of window size */
2143 int frlast; /* constant: last frame */
2147 panic("ipsec_chkreplay: NULL pointer was passed.");
2149 replay = sav->replay;
2151 if (replay->wsize == 0)
2152 goto ok; /* no need to check replay. */
2155 frlast = replay->wsize - 1;
2156 wsizeb = replay->wsize << 3;
2158 /* sequence number of 0 is invalid */
2163 if (replay->count == 0) {
2164 replay->lastseq = seq;
2165 bzero(replay->bitmap, replay->wsize);
2166 (replay->bitmap)[frlast] = 1;
2170 if (seq > replay->lastseq) {
2171 /* seq is larger than lastseq. */
2172 diff = seq - replay->lastseq;
2174 /* new larger sequence number */
2175 if (diff < wsizeb) {
2177 /* set bit for this packet */
2178 vshiftl(replay->bitmap, diff, replay->wsize);
2179 (replay->bitmap)[frlast] |= 1;
2181 /* this packet has a "way larger" */
2182 bzero(replay->bitmap, replay->wsize);
2183 (replay->bitmap)[frlast] = 1;
2185 replay->lastseq = seq;
2187 /* larger is good */
2189 /* seq is equal or less than lastseq. */
2190 diff = replay->lastseq - seq;
2192 /* over range to check, i.e. too old or wrapped */
2196 fr = frlast - diff / 8;
2198 /* this packet already seen ? */
2199 if ((replay->bitmap)[fr] & (1 << (diff % 8)))
2203 (replay->bitmap)[fr] |= (1 << (diff % 8));
2205 /* out of order but good */
2209 if (replay->count == ~0) {
2211 /* set overflow flag */
2214 /* don't increment, no more packets accepted */
2215 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
2218 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
2219 replay->overflow, ipsec_logsastr(sav)));
2228 * shift variable length buffer to left.
2229 * IN: bitmap: pointer to the buffer
2230 * nbit: the number of to shift.
2231 * wsize: buffer size (bytes).
2234 vshiftl(unsigned char *bitmap, int nbit, int wsize)
2239 for (j = 0; j < nbit; j += 8) {
2240 s = (nbit - j < 8) ? (nbit - j): 8;
2242 for (i = 1; i < wsize; i++) {
2243 over = (bitmap[i] >> (8 - s));
2245 bitmap[i-1] |= over;
2253 ipsec4_logpacketstr(struct ip *ip, u_int32_t spi)
2255 static char buf[256];
2259 s = (u_int8_t *)(&ip->ip_src);
2260 d = (u_int8_t *)(&ip->ip_dst);
2263 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2266 snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u",
2267 s[0], s[1], s[2], s[3]);
2270 snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u",
2271 d[0], d[1], d[2], d[3]);
2274 snprintf(p, sizeof(buf) - (p - buf), ")");
2281 ipsec6_logpacketstr(struct ip6_hdr *ip6, u_int32_t spi)
2283 static char buf[256];
2287 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2290 snprintf(p, sizeof(buf) - (p - buf), "src=%s",
2291 ip6_sprintf(&ip6->ip6_src));
2294 snprintf(p, sizeof(buf) - (p - buf), " dst=%s",
2295 ip6_sprintf(&ip6->ip6_dst));
2298 snprintf(p, sizeof(buf) - (p - buf), ")");
2305 ipsec_logsastr(struct secasvar *sav)
2307 static char buf[256];
2309 struct secasindex *saidx = &sav->sah->saidx;
2311 /* validity check */
2312 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2313 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family)
2314 panic("ipsec_logsastr: family mismatched.");
2317 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
2320 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) {
2322 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr;
2323 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr;
2324 snprintf(p, sizeof(buf) - (p - buf),
2325 "src=%d.%d.%d.%d dst=%d.%d.%d.%d",
2326 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
2329 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) {
2330 snprintf(p, sizeof(buf) - (p - buf),
2332 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr));
2335 snprintf(p, sizeof(buf) - (p - buf),
2337 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr));
2342 snprintf(p, sizeof(buf) - (p - buf), ")");
2348 ipsec_dumpmbuf(struct mbuf *m)
2357 p = mtod(m, u_char *);
2358 for (i = 0; i < m->m_len; i++) {
2359 printf("%02x ", p[i]);
2361 if (totlen % 16 == 0)
2366 if (totlen % 16 != 0)
2373 * IPsec output logic for IPv4.
2376 ipsec4_output(struct ipsec_output_state *state, struct secpolicy *sp, int flags)
2378 struct ip *ip = NULL;
2379 struct ipsecrequest *isr = NULL;
2380 struct secasindex saidx;
2383 struct sockaddr_in *dst4;
2384 struct sockaddr_in *sin;
2387 panic("state == NULL in ipsec4_output");
2389 panic("state->m == NULL in ipsec4_output");
2391 panic("state->ro == NULL in ipsec4_output");
2393 panic("state->dst == NULL in ipsec4_output");
2395 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2396 printf("ipsec4_output: applyed SP\n");
2397 kdebug_secpolicy(sp));
2399 for (isr = sp->req; isr != NULL; isr = isr->next) {
2401 #if 0 /* give up to check restriction of transport mode */
2402 /* XXX but should be checked somewhere */
2404 * some of the IPsec operation must be performed only in
2407 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT
2408 && (flags & IP_FORWARDING))
2412 /* make SA index for search proper SA */
2413 ip = mtod(state->m, struct ip *);
2414 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2415 saidx.mode = isr->saidx.mode;
2416 saidx.reqid = isr->saidx.reqid;
2417 sin = (struct sockaddr_in *)&saidx.src;
2418 if (sin->sin_len == 0) {
2419 sin->sin_len = sizeof(*sin);
2420 sin->sin_family = AF_INET;
2421 sin->sin_port = IPSEC_PORT_ANY;
2422 bcopy(&ip->ip_src, &sin->sin_addr,
2423 sizeof(sin->sin_addr));
2425 sin = (struct sockaddr_in *)&saidx.dst;
2426 if (sin->sin_len == 0) {
2427 sin->sin_len = sizeof(*sin);
2428 sin->sin_family = AF_INET;
2429 sin->sin_port = IPSEC_PORT_ANY;
2430 bcopy(&ip->ip_dst, &sin->sin_addr,
2431 sizeof(sin->sin_addr));
2434 if ((error = key_checkrequest(isr, &saidx)) != 0) {
2436 * IPsec processing is required, but no SA found.
2437 * I assume that key_acquire() had been called
2438 * to get/establish the SA. Here I discard
2439 * this packet because it is responsibility for
2440 * upper layer to retransmit the packet.
2442 ipsecstat.out_nosa++;
2446 /* validity check */
2447 if (isr->sav == NULL) {
2448 switch (ipsec_get_reqlevel(isr)) {
2449 case IPSEC_LEVEL_USE:
2451 case IPSEC_LEVEL_REQUIRE:
2452 /* must be not reached here. */
2453 panic("ipsec4_output: no SA found, but required.");
2458 * If there is no valid SA, we give up to process any
2459 * more. In such a case, the SA's status is changed
2460 * from DYING to DEAD after allocating. If a packet
2461 * send to the receiver by dead SA, the receiver can
2462 * not decode a packet because SA has been dead.
2464 if (isr->sav->state != SADB_SASTATE_MATURE
2465 && isr->sav->state != SADB_SASTATE_DYING) {
2466 ipsecstat.out_nosa++;
2472 * There may be the case that SA status will be changed when
2473 * we are refering to one. So calling splsoftnet().
2477 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2479 * build IPsec tunnel.
2481 /* XXX should be processed with other familiy */
2482 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) {
2483 ipseclog((LOG_ERR, "ipsec4_output: "
2484 "family mismatched between inner and outer spi=%u\n",
2485 (u_int32_t)ntohl(isr->sav->spi)));
2487 error = EAFNOSUPPORT;
2491 state->m = ipsec4_splithdr(state->m);
2497 error = ipsec4_encapsulate(state->m, isr->sav);
2503 ip = mtod(state->m, struct ip *);
2505 state->ro = &isr->sav->sah->sa_route;
2506 state->dst = (struct sockaddr *)&state->ro->ro_dst;
2507 dst4 = (struct sockaddr_in *)state->dst;
2508 if (state->ro->ro_rt
2509 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
2510 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) {
2511 RTFREE(state->ro->ro_rt);
2512 state->ro->ro_rt = NULL;
2514 if (state->ro->ro_rt == 0) {
2515 dst4->sin_family = AF_INET;
2516 dst4->sin_len = sizeof(*dst4);
2517 dst4->sin_addr = ip->ip_dst;
2520 if (state->ro->ro_rt == 0) {
2521 ipstat.ips_noroute++;
2522 error = EHOSTUNREACH;
2526 /* adjust state->dst if tunnel endpoint is offlink */
2527 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
2528 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
2529 dst4 = (struct sockaddr_in *)state->dst;
2534 state->m = ipsec4_splithdr(state->m);
2539 switch (isr->saidx.proto) {
2542 if ((error = esp4_output(state->m, isr)) != 0) {
2554 if ((error = ah4_output(state->m, isr)) != 0) {
2559 case IPPROTO_IPCOMP:
2560 if ((error = ipcomp4_output(state->m, isr)) != 0) {
2567 "ipsec4_output: unknown ipsec protocol %d\n",
2575 if (state->m == 0) {
2579 ip = mtod(state->m, struct ip *);
2593 * IPsec output logic for IPv6, transport mode.
2596 ipsec6_output_trans(struct ipsec_output_state *state, u_char *nexthdrp,
2597 struct mbuf *mprev, struct secpolicy *sp, int flags,
2600 struct ip6_hdr *ip6;
2601 struct ipsecrequest *isr = NULL;
2602 struct secasindex saidx;
2605 struct sockaddr_in6 *sin6;
2608 panic("state == NULL in ipsec6_output_trans");
2610 panic("state->m == NULL in ipsec6_output_trans");
2612 panic("nexthdrp == NULL in ipsec6_output_trans");
2614 panic("mprev == NULL in ipsec6_output_trans");
2616 panic("sp == NULL in ipsec6_output_trans");
2618 panic("tun == NULL in ipsec6_output_trans");
2620 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2621 printf("ipsec6_output_trans: applyed SP\n");
2622 kdebug_secpolicy(sp));
2625 for (isr = sp->req; isr; isr = isr->next) {
2626 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2627 /* the rest will be handled by ipsec6_output_tunnel() */
2631 /* make SA index for search proper SA */
2632 ip6 = mtod(state->m, struct ip6_hdr *);
2633 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2634 saidx.mode = isr->saidx.mode;
2635 saidx.reqid = isr->saidx.reqid;
2636 sin6 = (struct sockaddr_in6 *)&saidx.src;
2637 if (sin6->sin6_len == 0) {
2638 sin6->sin6_len = sizeof(*sin6);
2639 sin6->sin6_family = AF_INET6;
2640 sin6->sin6_port = IPSEC_PORT_ANY;
2641 bcopy(&ip6->ip6_src, &sin6->sin6_addr,
2642 sizeof(ip6->ip6_src));
2643 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
2644 /* fix scope id for comparing SPD */
2645 sin6->sin6_addr.s6_addr16[1] = 0;
2646 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
2649 sin6 = (struct sockaddr_in6 *)&saidx.dst;
2650 if (sin6->sin6_len == 0) {
2651 sin6->sin6_len = sizeof(*sin6);
2652 sin6->sin6_family = AF_INET6;
2653 sin6->sin6_port = IPSEC_PORT_ANY;
2654 bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
2655 sizeof(ip6->ip6_dst));
2656 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
2657 /* fix scope id for comparing SPD */
2658 sin6->sin6_addr.s6_addr16[1] = 0;
2659 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
2663 if (key_checkrequest(isr, &saidx) == ENOENT) {
2665 * IPsec processing is required, but no SA found.
2666 * I assume that key_acquire() had been called
2667 * to get/establish the SA. Here I discard
2668 * this packet because it is responsibility for
2669 * upper layer to retransmit the packet.
2671 ipsec6stat.out_nosa++;
2675 * Notify the fact that the packet is discarded
2676 * to ourselves. I believe this is better than
2677 * just silently discarding. (jinmei@kame.net)
2678 * XXX: should we restrict the error to TCP packets?
2679 * XXX: should we directly notify sockets via
2682 icmp6_error(state->m, ICMP6_DST_UNREACH,
2683 ICMP6_DST_UNREACH_ADMIN, 0);
2684 state->m = NULL; /* icmp6_error freed the mbuf */
2688 /* validity check */
2689 if (isr->sav == NULL) {
2690 switch (ipsec_get_reqlevel(isr)) {
2691 case IPSEC_LEVEL_USE:
2693 case IPSEC_LEVEL_REQUIRE:
2694 /* must be not reached here. */
2695 panic("ipsec6_output_trans: no SA found, but required.");
2700 * If there is no valid SA, we give up to process.
2701 * see same place at ipsec4_output().
2703 if (isr->sav->state != SADB_SASTATE_MATURE
2704 && isr->sav->state != SADB_SASTATE_DYING) {
2705 ipsec6stat.out_nosa++;
2710 switch (isr->saidx.proto) {
2713 error = esp6_output(state->m, nexthdrp, mprev->m_next, isr);
2720 error = ah6_output(state->m, nexthdrp, mprev->m_next, isr);
2722 case IPPROTO_IPCOMP:
2723 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr);
2726 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2727 "unknown ipsec protocol %d\n", isr->saidx.proto));
2729 ipsec6stat.out_inval++;
2737 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
2738 if (plen > IPV6_MAXPACKET) {
2739 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2740 "IPsec with IPv6 jumbogram is not supported\n"));
2741 ipsec6stat.out_inval++;
2742 error = EINVAL; /* XXX */
2745 ip6 = mtod(state->m, struct ip6_hdr *);
2746 ip6->ip6_plen = htons(plen);
2749 /* if we have more to go, we need a tunnel mode processing */
2762 * IPsec output logic for IPv6, tunnel mode.
2765 ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp,
2768 struct ip6_hdr *ip6;
2769 struct ipsecrequest *isr = NULL;
2770 struct secasindex saidx;
2773 struct sockaddr_in6* dst6;
2777 panic("state == NULL in ipsec6_output_tunnel");
2779 panic("state->m == NULL in ipsec6_output_tunnel");
2781 panic("sp == NULL in ipsec6_output_tunnel");
2783 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2784 printf("ipsec6_output_tunnel: applyed SP\n");
2785 kdebug_secpolicy(sp));
2788 * transport mode ipsec (before the 1st tunnel mode) is already
2789 * processed by ipsec6_output_trans().
2791 for (isr = sp->req; isr; isr = isr->next) {
2792 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
2796 for (/* already initialized */; isr; isr = isr->next) {
2797 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2798 /* When tunnel mode, SA peers must be specified. */
2799 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2801 /* make SA index to look for a proper SA */
2802 struct sockaddr_in6 *sin6;
2804 bzero(&saidx, sizeof(saidx));
2805 saidx.proto = isr->saidx.proto;
2806 saidx.mode = isr->saidx.mode;
2807 saidx.reqid = isr->saidx.reqid;
2809 ip6 = mtod(state->m, struct ip6_hdr *);
2810 sin6 = (struct sockaddr_in6 *)&saidx.src;
2811 if (sin6->sin6_len == 0) {
2812 sin6->sin6_len = sizeof(*sin6);
2813 sin6->sin6_family = AF_INET6;
2814 sin6->sin6_port = IPSEC_PORT_ANY;
2815 bcopy(&ip6->ip6_src, &sin6->sin6_addr,
2816 sizeof(ip6->ip6_src));
2817 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
2818 /* fix scope id for comparing SPD */
2819 sin6->sin6_addr.s6_addr16[1] = 0;
2820 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
2823 sin6 = (struct sockaddr_in6 *)&saidx.dst;
2824 if (sin6->sin6_len == 0) {
2825 sin6->sin6_len = sizeof(*sin6);
2826 sin6->sin6_family = AF_INET6;
2827 sin6->sin6_port = IPSEC_PORT_ANY;
2828 bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
2829 sizeof(ip6->ip6_dst));
2830 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
2831 /* fix scope id for comparing SPD */
2832 sin6->sin6_addr.s6_addr16[1] = 0;
2833 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
2838 if (key_checkrequest(isr, &saidx) == ENOENT) {
2840 * IPsec processing is required, but no SA found.
2841 * I assume that key_acquire() had been called
2842 * to get/establish the SA. Here I discard
2843 * this packet because it is responsibility for
2844 * upper layer to retransmit the packet.
2846 ipsec6stat.out_nosa++;
2851 /* validity check */
2852 if (isr->sav == NULL) {
2853 switch (ipsec_get_reqlevel(isr)) {
2854 case IPSEC_LEVEL_USE:
2856 case IPSEC_LEVEL_REQUIRE:
2857 /* must be not reached here. */
2858 panic("ipsec6_output_tunnel: no SA found, but required.");
2863 * If there is no valid SA, we give up to process.
2864 * see same place at ipsec4_output().
2866 if (isr->sav->state != SADB_SASTATE_MATURE
2867 && isr->sav->state != SADB_SASTATE_DYING) {
2868 ipsec6stat.out_nosa++;
2874 * There may be the case that SA status will be changed when
2875 * we are refering to one. So calling splsoftnet().
2879 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2881 * build IPsec tunnel.
2883 /* XXX should be processed with other familiy */
2884 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) {
2885 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
2886 "family mismatched between inner and outer, spi=%u\n",
2887 (u_int32_t)ntohl(isr->sav->spi)));
2889 ipsec6stat.out_inval++;
2890 error = EAFNOSUPPORT;
2894 state->m = ipsec6_splithdr(state->m);
2897 ipsec6stat.out_nomem++;
2901 error = ipsec6_encapsulate(state->m, isr->sav);
2907 ip6 = mtod(state->m, struct ip6_hdr *);
2909 state->ro = &isr->sav->sah->sa_route;
2910 state->dst = (struct sockaddr *)&state->ro->ro_dst;
2911 dst6 = (struct sockaddr_in6 *)state->dst;
2912 if (state->ro->ro_rt
2913 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
2914 || !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst))) {
2915 RTFREE(state->ro->ro_rt);
2916 state->ro->ro_rt = NULL;
2918 if (state->ro->ro_rt == 0) {
2919 bzero(dst6, sizeof(*dst6));
2920 dst6->sin6_family = AF_INET6;
2921 dst6->sin6_len = sizeof(*dst6);
2922 dst6->sin6_addr = ip6->ip6_dst;
2925 if (state->ro->ro_rt == 0) {
2926 ip6stat.ip6s_noroute++;
2927 ipsec6stat.out_noroute++;
2928 error = EHOSTUNREACH;
2932 /* adjust state->dst if tunnel endpoint is offlink */
2933 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
2934 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
2935 dst6 = (struct sockaddr_in6 *)state->dst;
2940 state->m = ipsec6_splithdr(state->m);
2942 ipsec6stat.out_nomem++;
2946 ip6 = mtod(state->m, struct ip6_hdr *);
2947 switch (isr->saidx.proto) {
2950 error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr);
2957 error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr);
2959 case IPPROTO_IPCOMP:
2960 /* XXX code should be here */
2963 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
2964 "unknown ipsec protocol %d\n", isr->saidx.proto));
2966 ipsec6stat.out_inval++;
2974 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
2975 if (plen > IPV6_MAXPACKET) {
2976 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
2977 "IPsec with IPv6 jumbogram is not supported\n"));
2978 ipsec6stat.out_inval++;
2979 error = EINVAL; /* XXX */
2982 ip6 = mtod(state->m, struct ip6_hdr *);
2983 ip6->ip6_plen = htons(plen);
2997 * Chop IP header and option off from the payload.
2999 static struct mbuf *
3000 ipsec4_splithdr(struct mbuf *m)
3006 if (m->m_len < sizeof(struct ip))
3007 panic("ipsec4_splithdr: first mbuf too short");
3008 ip = mtod(m, struct ip *);
3010 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
3012 hlen = ip->ip_hl << 2;
3014 if (m->m_len > hlen) {
3015 MGETHDR(mh, MB_DONTWAIT, MT_HEADER);
3020 M_MOVE_PKTHDR(mh, m);
3027 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen);
3028 } else if (m->m_len < hlen) {
3029 m = m_pullup(m, hlen);
3038 static struct mbuf *
3039 ipsec6_splithdr(struct mbuf *m)
3042 struct ip6_hdr *ip6;
3045 if (m->m_len < sizeof(struct ip6_hdr))
3046 panic("ipsec6_splithdr: first mbuf too short");
3047 ip6 = mtod(m, struct ip6_hdr *);
3048 hlen = sizeof(struct ip6_hdr);
3049 if (m->m_len > hlen) {
3050 MGETHDR(mh, MB_DONTWAIT, MT_HEADER);
3055 M_MOVE_PKTHDR(mh, m);
3062 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
3063 } else if (m->m_len < hlen) {
3064 m = m_pullup(m, hlen);
3072 /* validate inbound IPsec tunnel packet. */
3074 ipsec4_tunnel_validate(struct mbuf *m, /* no pullup permitted, m->m_len >= ip */
3075 int off, u_int nxt0, struct secasvar *sav)
3077 u_int8_t nxt = nxt0 & 0xff;
3078 struct sockaddr_in *sin;
3079 struct sockaddr_in osrc, odst, isrc, idst;
3081 struct secpolicy *sp;
3085 if (m->m_len < sizeof(struct ip))
3086 panic("too short mbuf on ipsec4_tunnel_validate");
3088 if (nxt != IPPROTO_IPV4)
3090 if (m->m_pkthdr.len < off + sizeof(struct ip))
3092 /* do not decapsulate if the SA is for transport mode only */
3093 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3096 oip = mtod(m, struct ip *);
3098 hlen = _IP_VHL_HL(oip->ip_vhl) << 2;
3100 hlen = oip->ip_hl << 2;
3102 if (hlen != sizeof(struct ip))
3105 /* AF_INET6 should be supported, but at this moment we don't. */
3106 sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
3107 if (sin->sin_family != AF_INET)
3109 if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != 0)
3113 bzero(&osrc, sizeof(osrc));
3114 bzero(&odst, sizeof(odst));
3115 bzero(&isrc, sizeof(isrc));
3116 bzero(&idst, sizeof(idst));
3117 osrc.sin_family = odst.sin_family = isrc.sin_family = idst.sin_family =
3119 osrc.sin_len = odst.sin_len = isrc.sin_len = idst.sin_len =
3120 sizeof(struct sockaddr_in);
3121 osrc.sin_addr = oip->ip_src;
3122 odst.sin_addr = oip->ip_dst;
3123 m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(isrc.sin_addr),
3124 (caddr_t)&isrc.sin_addr);
3125 m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(idst.sin_addr),
3126 (caddr_t)&idst.sin_addr);
3129 * RFC2401 5.2.1 (b): (assume that we are using tunnel mode)
3130 * - if the inner destination is multicast address, there can be
3131 * multiple permissible inner source address. implementation
3132 * may want to skip verification of inner source address against
3134 * - if the inner protocol is ICMP, the packet may be an error report
3135 * from routers on the other side of the VPN cloud (R in the
3136 * following diagram). in this case, we cannot verify inner source
3137 * address against SPD selector.
3138 * me -- gw === gw -- R -- you
3140 * we consider the first bullet to be users responsibility on SPD entry
3141 * configuration (if you need to encrypt multicast traffic, set
3142 * the source range of SPD selector to 0.0.0.0/0, or have explicit
3143 * address ranges for possible senders).
3144 * the second bullet is not taken care of (yet).
3146 * therefore, we do not do anything special about inner source.
3149 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3150 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3159 /* validate inbound IPsec tunnel packet. */
3161 ipsec6_tunnel_validate(struct mbuf *m, /* no pullup permitted, m->m_len >= ip */
3162 int off, u_int nxt0, struct secasvar *sav)
3164 u_int8_t nxt = nxt0 & 0xff;
3165 struct sockaddr_in6 *sin6;
3166 struct sockaddr_in6 osrc, odst, isrc, idst;
3167 struct secpolicy *sp;
3168 struct ip6_hdr *oip6;
3171 if (m->m_len < sizeof(struct ip6_hdr))
3172 panic("too short mbuf on ipsec6_tunnel_validate");
3174 if (nxt != IPPROTO_IPV6)
3176 if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr))
3178 /* do not decapsulate if the SA is for transport mode only */
3179 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3182 oip6 = mtod(m, struct ip6_hdr *);
3183 /* AF_INET should be supported, but at this moment we don't. */
3184 sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst;
3185 if (sin6->sin6_family != AF_INET6)
3187 if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr))
3191 bzero(&osrc, sizeof(osrc));
3192 bzero(&odst, sizeof(odst));
3193 bzero(&isrc, sizeof(isrc));
3194 bzero(&idst, sizeof(idst));
3195 osrc.sin6_family = odst.sin6_family = isrc.sin6_family =
3196 idst.sin6_family = AF_INET6;
3197 osrc.sin6_len = odst.sin6_len = isrc.sin6_len = idst.sin6_len =
3198 sizeof(struct sockaddr_in6);
3199 osrc.sin6_addr = oip6->ip6_src;
3200 odst.sin6_addr = oip6->ip6_dst;
3201 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src),
3202 sizeof(isrc.sin6_addr), (caddr_t)&isrc.sin6_addr);
3203 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst),
3204 sizeof(idst.sin6_addr), (caddr_t)&idst.sin6_addr);
3207 * regarding to inner source address validation, see a long comment
3208 * in ipsec4_tunnel_validate.
3211 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3212 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3214 * when there is no suitable inbound policy for the packet of the ipsec
3215 * tunnel mode, the kernel never decapsulate the tunneled packet
3216 * as the ipsec tunnel mode even when the system wide policy is "none".
3217 * then the kernel leaves the generic tunnel module to process this
3218 * packet. if there is no rule of the generic tunnel, the packet
3219 * is rejected and the statistics will be counted up.
3230 * Make a mbuf chain for encryption.
3231 * If the original mbuf chain contains a mbuf with a cluster,
3232 * allocate a new cluster and copy the data to the new cluster.
3233 * XXX: this hack is inefficient, but is necessary to handle cases
3234 * of TCP retransmission...
3237 ipsec_copypkt(struct mbuf *m)
3239 struct mbuf *n, **mpp, *mnew;
3241 for (n = m, mpp = &m; n; n = n->m_next) {
3242 if (n->m_flags & M_EXT) {
3244 * Make a copy only if there are more than one
3245 * references to the cluster.
3246 * XXX: is this approach effective?
3248 if (m_sharecount(n) > 1) {
3252 if (n->m_flags & M_PKTHDR) {
3253 MGETHDR(mnew, MB_DONTWAIT, MT_HEADER);
3256 if (!m_dup_pkthdr(mnew, n, MB_DONTWAIT)) {
3262 MGET(mnew, MB_DONTWAIT, MT_DATA);
3270 * Copy data. If we don't have enough space to
3271 * store the whole data, allocate a cluster
3272 * or additional mbufs.
3273 * XXX: we don't use m_copyback(), since the
3274 * function does not use clusters and thus is
3283 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN))
3285 else { /* allocate a cluster */
3286 MCLGET(mm, MB_DONTWAIT);
3287 if (!(mm->m_flags & M_EXT)) {
3291 len = remain < MCLBYTES ?
3295 bcopy(n->m_data + copied, mm->m_data,
3302 if (remain <= 0) /* completed? */
3305 /* need another mbuf */
3306 MGETHDR(mn, MB_DONTWAIT, MT_HEADER);
3309 mn->m_pkthdr.rcvif = NULL;
3315 mm->m_next = m_free(n);
3334 ipsec_delaux(struct mbuf *m)
3338 while ((tag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL)) != NULL)
3339 m_tag_delete(m, tag);
3343 ipsec_addhist(struct mbuf *m, int proto, u_int32_t spi)
3346 struct ipsec_history *p;
3348 tag = m_tag_get(PACKET_TAG_IPSEC_HISTORY,
3349 sizeof (struct ipsec_history), M_NOWAIT);
3352 p = (struct ipsec_history *)(tag+1);
3353 bzero(p, sizeof(*p));
3354 p->ih_proto = proto;
3356 m_tag_prepend(m, tag);
3360 struct ipsec_history *
3361 ipsec_gethist(struct mbuf *m, int *lenp)
3365 tag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
3368 /* XXX NB: noone uses this so fake it */
3370 *lenp = sizeof (struct ipsec_history);
3371 return ((struct ipsec_history *)(tag+1));
projects / dragonfly.git / blob