1 /* $FreeBSD: src/sys/netinet6/ipsec.c,v 1.3.2.12 2003/05/06 06:46:58 suz Exp $ */
2 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * IPsec controller part.
38 #include "opt_inet6.h"
39 #include "opt_ipsec.h"
41 #include <sys/param.h>
42 #include <sys/systm.h>
43 #include <sys/malloc.h>
45 #include <sys/domain.h>
46 #include <sys/protosw.h>
47 #include <sys/socket.h>
48 #include <sys/socketvar.h>
49 #include <sys/errno.h>
51 #include <sys/kernel.h>
52 #include <sys/syslog.h>
53 #include <sys/sysctl.h>
55 #include <sys/in_cksum.h>
56 #include <sys/thread2.h>
59 #include <net/route.h>
61 #include <netinet/in.h>
62 #include <netinet/in_systm.h>
63 #include <netinet/ip.h>
64 #include <netinet/ip_var.h>
65 #include <netinet/in_var.h>
66 #include <netinet/udp.h>
67 #include <netinet/udp_var.h>
68 #include <netinet/ip_ecn.h>
70 #include <netinet6/ip6_ecn.h>
72 #include <netinet/tcp.h>
74 #include <netinet/ip6.h>
76 #include <netinet6/ip6_var.h>
78 #include <netinet/in_pcb.h>
80 #include <netinet/icmp6.h>
83 #include <netinet6/ipsec.h>
85 #include <netinet6/ipsec6.h>
87 #include <netinet6/ah.h>
89 #include <netinet6/ah6.h>
92 #include <netinet6/esp.h>
94 #include <netinet6/esp6.h>
97 #include <netinet6/ipcomp.h>
99 #include <netinet6/ipcomp6.h>
101 #include <netproto/key/key.h>
102 #include <netproto/key/keydb.h>
103 #include <netproto/key/key_debug.h>
105 #include <net/net_osdep.h>
113 struct ipsecstat ipsecstat;
114 int ip4_ah_cleartos = 1;
115 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
116 int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */
117 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
118 int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
119 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
120 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
121 struct secpolicy ip4_def_policy;
122 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
123 int ip4_esp_randpad = -1;
126 SYSCTL_DECL(_net_inet_ipsec);
128 SYSCTL_DECL(_net_inet6_ipsec6);
133 SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS,
134 stats, CTLFLAG_RD, &ipsecstat, ipsecstat, "");
135 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY,
136 def_policy, CTLFLAG_RW, &ip4_def_policy.policy, 0, "");
137 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
138 CTLFLAG_RW, &ip4_esp_trans_deflev, 0, "");
139 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
140 CTLFLAG_RW, &ip4_esp_net_deflev, 0, "");
141 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
142 CTLFLAG_RW, &ip4_ah_trans_deflev, 0, "");
143 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
144 CTLFLAG_RW, &ip4_ah_net_deflev, 0, "");
145 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
146 ah_cleartos, CTLFLAG_RW, &ip4_ah_cleartos, 0, "");
147 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
148 ah_offsetmask, CTLFLAG_RW, &ip4_ah_offsetmask, 0, "");
149 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT,
150 dfbit, CTLFLAG_RW, &ip4_ipsec_dfbit, 0, "");
151 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN,
152 ecn, CTLFLAG_RW, &ip4_ipsec_ecn, 0, "");
153 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG,
154 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
155 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD,
156 esp_randpad, CTLFLAG_RW, &ip4_esp_randpad, 0, "");
159 struct ipsecstat ipsec6stat;
160 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
161 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
162 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
163 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
164 struct secpolicy ip6_def_policy;
165 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
166 int ip6_esp_randpad = -1;
168 /* net.inet6.ipsec6 */
169 SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
170 stats, CTLFLAG_RD, &ipsec6stat, ipsecstat, "");
171 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
172 def_policy, CTLFLAG_RW, &ip6_def_policy.policy, 0, "");
173 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
174 CTLFLAG_RW, &ip6_esp_trans_deflev, 0, "");
175 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
176 CTLFLAG_RW, &ip6_esp_net_deflev, 0, "");
177 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
178 CTLFLAG_RW, &ip6_ah_trans_deflev, 0, "");
179 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
180 CTLFLAG_RW, &ip6_ah_net_deflev, 0, "");
181 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
182 ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0, "");
183 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG,
184 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
185 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
186 esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, "");
189 static int ipsec_setspidx_mbuf
190 (struct secpolicyindex *, u_int, u_int, struct mbuf *, int);
191 static int ipsec4_setspidx_inpcb (struct mbuf *, struct inpcb *pcb);
193 static int ipsec6_setspidx_in6pcb (struct mbuf *, struct in6pcb *pcb);
195 static int ipsec_setspidx (struct mbuf *, struct secpolicyindex *, int);
196 static void ipsec4_get_ulp (struct mbuf *m, struct secpolicyindex *, int);
197 static int ipsec4_setspidx_ipaddr (struct mbuf *, struct secpolicyindex *);
199 static void ipsec6_get_ulp (struct mbuf *m, struct secpolicyindex *, int);
200 static int ipsec6_setspidx_ipaddr (struct mbuf *, struct secpolicyindex *);
202 static struct inpcbpolicy *ipsec_newpcbpolicy (void);
203 static void ipsec_delpcbpolicy (struct inpcbpolicy *);
204 static struct secpolicy *ipsec_deepcopy_policy (struct secpolicy *src);
205 static int ipsec_set_policy (struct secpolicy **pcb_sp,
206 int optname, caddr_t request, size_t len, int priv);
207 static int ipsec_get_policy (struct secpolicy *pcb_sp, struct mbuf **mp);
208 static void vshiftl (unsigned char *, int, int);
209 static int ipsec_in_reject (struct secpolicy *, struct mbuf *);
210 static size_t ipsec_hdrsiz (struct secpolicy *);
212 static struct mbuf *ipsec4_splithdr (struct mbuf *);
215 static struct mbuf *ipsec6_splithdr (struct mbuf *);
218 static int ipsec4_encapsulate (struct mbuf *, struct secasvar *);
221 static int ipsec6_encapsulate (struct mbuf *, struct secasvar *);
225 * For OUTBOUND packet having a socket. Searching SPD for packet,
226 * and return a pointer to SP.
227 * OUT: NULL: no apropreate SP found, the following value is set to error.
229 * EACCES : discard packet.
230 * ENOENT : ipsec_acquire() in progress, maybe.
231 * others : error occured.
232 * others: a pointer to SP
234 * NOTE: IPv6 mapped adddress concern is implemented here.
237 ipsec4_getpolicybysock(struct mbuf *m, u_int dir, struct socket *so, int *error)
239 struct inpcbpolicy *pcbsp = NULL;
240 struct secpolicy *currsp = NULL; /* policy on socket */
241 struct secpolicy *kernsp = NULL; /* policy on kernel */
244 if (m == NULL || so == NULL || error == NULL)
245 panic("ipsec4_getpolicybysock: NULL pointer was passed.");
247 switch (so->so_proto->pr_domain->dom_family) {
249 /* set spidx in pcb */
250 *error = ipsec4_setspidx_inpcb(m, so->so_pcb);
254 /* set spidx in pcb */
255 *error = ipsec6_setspidx_in6pcb(m, so->so_pcb);
259 panic("ipsec4_getpolicybysock: unsupported address family");
263 switch (so->so_proto->pr_domain->dom_family) {
265 pcbsp = sotoinpcb(so)->inp_sp;
269 pcbsp = sotoin6pcb(so)->in6p_sp;
276 panic("ipsec4_getpolicybysock: pcbsp is NULL.");
279 case IPSEC_DIR_INBOUND:
280 currsp = pcbsp->sp_in;
282 case IPSEC_DIR_OUTBOUND:
283 currsp = pcbsp->sp_out;
286 panic("ipsec4_getpolicybysock: illegal direction.");
291 panic("ipsec4_getpolicybysock: currsp is NULL.");
293 lwkt_gettoken(&key_token);
295 /* when privilieged socket */
297 switch (currsp->policy) {
298 case IPSEC_POLICY_BYPASS:
301 lwkt_reltoken(&key_token);
304 case IPSEC_POLICY_ENTRUST:
305 /* look for a policy in SPD */
306 kernsp = key_allocsp(&currsp->spidx, dir);
309 if (kernsp != NULL) {
310 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
311 kprintf("DP ipsec4_getpolicybysock called "
312 "to allocate SP:%p\n", kernsp));
314 lwkt_reltoken(&key_token);
319 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
320 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
322 "fixed system default policy: %d->%d\n",
323 ip4_def_policy.policy, IPSEC_POLICY_NONE));
324 ip4_def_policy.policy = IPSEC_POLICY_NONE;
326 ip4_def_policy.refcnt++;
328 lwkt_reltoken(&key_token);
329 return &ip4_def_policy;
331 case IPSEC_POLICY_IPSEC:
334 lwkt_reltoken(&key_token);
338 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
339 "Invalid policy for PCB %d\n", currsp->policy));
341 lwkt_reltoken(&key_token);
347 /* when non-privilieged socket */
348 /* look for a policy in SPD */
349 kernsp = key_allocsp(&currsp->spidx, dir);
352 if (kernsp != NULL) {
353 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
354 kprintf("DP ipsec4_getpolicybysock called "
355 "to allocate SP:%p\n", kernsp));
357 lwkt_reltoken(&key_token);
362 switch (currsp->policy) {
363 case IPSEC_POLICY_BYPASS:
364 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
365 "Illegal policy for non-priviliged defined %d\n",
368 lwkt_reltoken(&key_token);
371 case IPSEC_POLICY_ENTRUST:
372 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
373 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
375 "fixed system default policy: %d->%d\n",
376 ip4_def_policy.policy, IPSEC_POLICY_NONE));
377 ip4_def_policy.policy = IPSEC_POLICY_NONE;
379 ip4_def_policy.refcnt++;
381 lwkt_reltoken(&key_token);
382 return &ip4_def_policy;
384 case IPSEC_POLICY_IPSEC:
387 lwkt_reltoken(&key_token);
391 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
392 "Invalid policy for PCB %d\n", currsp->policy));
394 lwkt_reltoken(&key_token);
401 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
402 * and return a pointer to SP.
403 * OUT: positive: a pointer to the entry for security policy leaf matched.
404 * NULL: no apropreate SP found, the following value is set to error.
406 * EACCES : discard packet.
407 * ENOENT : ipsec_acquire() in progress, maybe.
408 * others : error occured.
411 ipsec4_getpolicybyaddr(struct mbuf *m, u_int dir, int flag, int *error)
413 struct secpolicy *sp = NULL;
414 struct secpolicyindex spidx;
417 if (m == NULL || error == NULL)
418 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.");
420 bzero(&spidx, sizeof(spidx));
422 /* make a index to look for a policy */
423 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET, m,
424 (flag & IP_FORWARDING) ? 0 : 1);
429 lwkt_gettoken(&key_token);
430 sp = key_allocsp(&spidx, dir);
434 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
435 kprintf("DP ipsec4_getpolicybyaddr called "
436 "to allocate SP:%p\n", sp));
438 lwkt_reltoken(&key_token);
443 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
444 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
445 ipseclog((LOG_INFO, "fixed system default policy:%d->%d\n",
446 ip4_def_policy.policy,
448 ip4_def_policy.policy = IPSEC_POLICY_NONE;
450 ip4_def_policy.refcnt++;
452 lwkt_reltoken(&key_token);
453 return &ip4_def_policy;
458 * For OUTBOUND packet having a socket. Searching SPD for packet,
459 * and return a pointer to SP.
460 * OUT: NULL: no apropreate SP found, the following value is set to error.
462 * EACCES : discard packet.
463 * ENOENT : ipsec_acquire() in progress, maybe.
464 * others : error occured.
465 * others: a pointer to SP
468 ipsec6_getpolicybysock(struct mbuf *m, u_int dir, struct socket *so, int *error)
470 struct inpcbpolicy *pcbsp = NULL;
471 struct secpolicy *currsp = NULL; /* policy on socket */
472 struct secpolicy *kernsp = NULL; /* policy on kernel */
475 if (m == NULL || so == NULL || error == NULL)
476 panic("ipsec6_getpolicybysock: NULL pointer was passed.");
479 if (so->so_proto->pr_domain->dom_family != AF_INET6)
480 panic("ipsec6_getpolicybysock: socket domain != inet6");
483 lwkt_gettoken(&key_token);
485 /* set spidx in pcb */
486 ipsec6_setspidx_in6pcb(m, so->so_pcb);
487 pcbsp = sotoin6pcb(so)->in6p_sp;
491 panic("ipsec6_getpolicybysock: pcbsp is NULL.");
494 case IPSEC_DIR_INBOUND:
495 currsp = pcbsp->sp_in;
497 case IPSEC_DIR_OUTBOUND:
498 currsp = pcbsp->sp_out;
501 panic("ipsec6_getpolicybysock: illegal direction.");
506 panic("ipsec6_getpolicybysock: currsp is NULL.");
508 /* when privilieged socket */
510 switch (currsp->policy) {
511 case IPSEC_POLICY_BYPASS:
515 case IPSEC_POLICY_ENTRUST:
516 /* look for a policy in SPD */
517 kernsp = key_allocsp(&currsp->spidx, dir);
520 if (kernsp != NULL) {
521 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
522 kprintf("DP ipsec6_getpolicybysock called "
523 "to allocate SP:%p\n", kernsp));
530 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
531 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
533 "fixed system default policy: %d->%d\n",
534 ip6_def_policy.policy, IPSEC_POLICY_NONE));
535 ip6_def_policy.policy = IPSEC_POLICY_NONE;
537 currsp = &ip6_def_policy;
541 case IPSEC_POLICY_IPSEC:
546 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
547 "Invalid policy for PCB %d\n", currsp->policy));
549 lwkt_reltoken(&key_token);
553 lwkt_reltoken(&key_token);
558 /* when non-privilieged socket */
559 /* look for a policy in SPD */
560 kernsp = key_allocsp(&currsp->spidx, dir);
563 if (kernsp != NULL) {
564 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
565 kprintf("DP ipsec6_getpolicybysock called "
566 "to allocate SP:%p\n", kernsp));
568 lwkt_reltoken(&key_token);
573 switch (currsp->policy) {
574 case IPSEC_POLICY_BYPASS:
575 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
576 "Illegal policy for non-priviliged defined %d\n",
581 case IPSEC_POLICY_ENTRUST:
582 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
583 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
585 "fixed system default policy: %d->%d\n",
586 ip6_def_policy.policy, IPSEC_POLICY_NONE));
587 ip6_def_policy.policy = IPSEC_POLICY_NONE;
589 currsp = &ip6_def_policy;
593 case IPSEC_POLICY_IPSEC:
599 "ipsec6_policybysock: Invalid policy for PCB %d\n",
605 lwkt_reltoken(&key_token);
610 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
611 * and return a pointer to SP.
612 * `flag' means that packet is to be forwarded whether or not.
614 * OUT: positive: a pointer to the entry for security policy leaf matched.
615 * NULL: no apropreate SP found, the following value is set to error.
617 * EACCES : discard packet.
618 * ENOENT : ipsec_acquire() in progress, maybe.
619 * others : error occured.
621 #ifndef IP_FORWARDING
622 #define IP_FORWARDING 1
626 ipsec6_getpolicybyaddr(struct mbuf *m, u_int dir, int flag, int *error)
628 struct secpolicy *sp = NULL;
629 struct secpolicyindex spidx;
632 if (m == NULL || error == NULL)
633 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.");
634 bzero(&spidx, sizeof(spidx));
636 lwkt_gettoken(&key_token);
638 /* make a index to look for a policy */
639 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET6, m,
640 (flag & IP_FORWARDING) ? 0 : 1);
642 lwkt_reltoken(&key_token);
646 sp = key_allocsp(&spidx, dir);
650 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
651 kprintf("DP ipsec6_getpolicybyaddr called "
652 "to allocate SP:%p\n", sp));
654 lwkt_reltoken(&key_token);
659 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
660 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
661 ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n",
662 ip6_def_policy.policy, IPSEC_POLICY_NONE));
663 ip6_def_policy.policy = IPSEC_POLICY_NONE;
665 sp = &ip6_def_policy;
668 lwkt_reltoken(&key_token);
675 * set IP address into spidx from mbuf.
676 * When Forwarding packet and ICMP echo reply, this function is used.
678 * IN: get the followings from mbuf.
679 * protocol family, src, dst, next protocol
682 * other: failure, and set errno.
685 ipsec_setspidx_mbuf(struct secpolicyindex *spidx, u_int dir, u_int family,
686 struct mbuf *m, int needport)
691 if (spidx == NULL || m == NULL)
692 panic("ipsec_setspidx_mbuf: NULL pointer was passed.");
694 bzero(spidx, sizeof(*spidx));
696 error = ipsec_setspidx(m, spidx, needport);
705 bzero(spidx, sizeof(*spidx));
710 ipsec4_setspidx_inpcb(struct mbuf *m, struct inpcb *pcb)
712 struct secpolicyindex *spidx;
717 panic("ipsec4_setspidx_inpcb: no PCB found.");
718 if (pcb->inp_sp == NULL)
719 panic("ipsec4_setspidx_inpcb: no inp_sp found.");
720 if (pcb->inp_sp->sp_out == NULL || pcb->inp_sp->sp_in == NULL)
721 panic("ipsec4_setspidx_inpcb: no sp_in/out found.");
723 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx));
724 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx));
726 spidx = &pcb->inp_sp->sp_in->spidx;
727 error = ipsec_setspidx(m, spidx, 1);
730 spidx->dir = IPSEC_DIR_INBOUND;
732 spidx = &pcb->inp_sp->sp_out->spidx;
733 error = ipsec_setspidx(m, spidx, 1);
736 spidx->dir = IPSEC_DIR_OUTBOUND;
741 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx));
742 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx));
748 ipsec6_setspidx_in6pcb(struct mbuf *m, struct in6pcb *pcb)
750 struct secpolicyindex *spidx;
755 panic("ipsec6_setspidx_in6pcb: no PCB found.");
756 if (pcb->in6p_sp == NULL)
757 panic("ipsec6_setspidx_in6pcb: no in6p_sp found.");
758 if (pcb->in6p_sp->sp_out == NULL || pcb->in6p_sp->sp_in == NULL)
759 panic("ipsec6_setspidx_in6pcb: no sp_in/out found.");
761 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
762 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
764 spidx = &pcb->in6p_sp->sp_in->spidx;
765 error = ipsec_setspidx(m, spidx, 1);
768 spidx->dir = IPSEC_DIR_INBOUND;
770 spidx = &pcb->in6p_sp->sp_out->spidx;
771 error = ipsec_setspidx(m, spidx, 1);
774 spidx->dir = IPSEC_DIR_OUTBOUND;
779 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
780 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
786 * configure security policy index (src/dst/proto/sport/dport)
787 * by looking at the content of mbuf.
788 * the caller is responsible for error recovery (like clearing up spidx).
791 ipsec_setspidx(struct mbuf *m, struct secpolicyindex *spidx, int needport)
793 struct ip *ip = NULL;
801 panic("ipsec_setspidx: m == 0 passed.");
804 * validate m->m_pkthdr.len. we see incorrect length if we
805 * mistakenly call this function with inconsistent mbuf chain
806 * (like 4.4BSD tcp/udp processing). XXX should we panic here?
809 for (n = m; n; n = n->m_next)
811 if (m->m_pkthdr.len != len) {
812 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
813 kprintf("ipsec_setspidx: "
814 "total of m_len(%d) != pkthdr.len(%d), "
816 len, m->m_pkthdr.len));
820 if (m->m_pkthdr.len < sizeof(struct ip)) {
821 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
822 kprintf("ipsec_setspidx: "
823 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
828 if (m->m_len >= sizeof(*ip))
829 ip = mtod(m, struct ip *);
831 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
835 v = _IP_VHL_V(ip->ip_vhl);
841 error = ipsec4_setspidx_ipaddr(m, spidx);
844 ipsec4_get_ulp(m, spidx, needport);
848 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
849 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
850 kprintf("ipsec_setspidx: "
851 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
852 "ignored.\n", m->m_pkthdr.len));
855 error = ipsec6_setspidx_ipaddr(m, spidx);
858 ipsec6_get_ulp(m, spidx, needport);
862 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
863 kprintf("ipsec_setspidx: "
864 "unknown IP version %u, ignored.\n", v));
870 ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
881 panic("ipsec4_get_ulp: NULL pointer was passed.");
882 if (m->m_pkthdr.len < sizeof(ip))
883 panic("ipsec4_get_ulp: too short");
886 spidx->ul_proto = IPSEC_ULPROTO_ANY;
887 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY;
888 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY;
890 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip);
891 /* ip_input() flips it into host endian XXX need more checking */
892 if (ip.ip_off & (IP_MF | IP_OFFMASK))
897 off = _IP_VHL_HL(ip->ip_vhl) << 2;
901 while (off < m->m_pkthdr.len) {
904 spidx->ul_proto = nxt;
907 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
909 m_copydata(m, off, sizeof(th), (caddr_t)&th);
910 ((struct sockaddr_in *)&spidx->src)->sin_port =
912 ((struct sockaddr_in *)&spidx->dst)->sin_port =
916 spidx->ul_proto = nxt;
919 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
921 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
922 ((struct sockaddr_in *)&spidx->src)->sin_port =
924 ((struct sockaddr_in *)&spidx->dst)->sin_port =
928 if (off + sizeof(ip6e) > m->m_pkthdr.len)
930 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
931 off += (ip6e.ip6e_len + 2) << 2;
936 /* XXX intermediate headers??? */
937 spidx->ul_proto = nxt;
943 /* assumes that m is sane */
945 ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
947 struct ip *ip = NULL;
949 struct sockaddr_in *sin;
951 if (m->m_len >= sizeof(*ip))
952 ip = mtod(m, struct ip *);
954 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
958 sin = (struct sockaddr_in *)&spidx->src;
959 bzero(sin, sizeof(*sin));
960 sin->sin_family = AF_INET;
961 sin->sin_len = sizeof(struct sockaddr_in);
962 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src));
963 spidx->prefs = sizeof(struct in_addr) << 3;
965 sin = (struct sockaddr_in *)&spidx->dst;
966 bzero(sin, sizeof(*sin));
967 sin->sin_family = AF_INET;
968 sin->sin_len = sizeof(struct sockaddr_in);
969 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst));
970 spidx->prefd = sizeof(struct in_addr) << 3;
976 ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
984 panic("ipsec6_get_ulp: NULL pointer was passed.");
986 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
987 kprintf("ipsec6_get_ulp:\n"); kdebug_mbuf(m));
990 spidx->ul_proto = IPSEC_ULPROTO_ANY;
991 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
992 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
995 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
996 if (off < 0 || m->m_pkthdr.len < off)
1001 spidx->ul_proto = nxt;
1004 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
1006 m_copydata(m, off, sizeof(th), (caddr_t)&th);
1007 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
1008 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
1011 spidx->ul_proto = nxt;
1014 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1016 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1017 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
1018 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
1020 case IPPROTO_ICMPV6:
1022 /* XXX intermediate headers??? */
1023 spidx->ul_proto = nxt;
1028 /* assumes that m is sane */
1030 ipsec6_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
1032 struct ip6_hdr *ip6 = NULL;
1033 struct ip6_hdr ip6buf;
1034 struct sockaddr_in6 *sin6;
1036 if (m->m_len >= sizeof(*ip6))
1037 ip6 = mtod(m, struct ip6_hdr *);
1039 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
1043 sin6 = (struct sockaddr_in6 *)&spidx->src;
1044 bzero(sin6, sizeof(*sin6));
1045 sin6->sin6_family = AF_INET6;
1046 sin6->sin6_len = sizeof(struct sockaddr_in6);
1047 bcopy(&ip6->ip6_src, &sin6->sin6_addr, sizeof(ip6->ip6_src));
1048 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
1049 sin6->sin6_addr.s6_addr16[1] = 0;
1050 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
1052 spidx->prefs = sizeof(struct in6_addr) << 3;
1054 sin6 = (struct sockaddr_in6 *)&spidx->dst;
1055 bzero(sin6, sizeof(*sin6));
1056 sin6->sin6_family = AF_INET6;
1057 sin6->sin6_len = sizeof(struct sockaddr_in6);
1058 bcopy(&ip6->ip6_dst, &sin6->sin6_addr, sizeof(ip6->ip6_dst));
1059 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
1060 sin6->sin6_addr.s6_addr16[1] = 0;
1061 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
1063 spidx->prefd = sizeof(struct in6_addr) << 3;
1069 static struct inpcbpolicy *
1070 ipsec_newpcbpolicy(void)
1072 struct inpcbpolicy *p;
1074 p = (struct inpcbpolicy *)kmalloc(sizeof(*p), M_SECA, M_NOWAIT);
1079 ipsec_delpcbpolicy(struct inpcbpolicy *p)
1084 /* initialize policy in PCB */
1086 ipsec_init_policy(struct socket *so, struct inpcbpolicy **pcb_sp)
1088 struct inpcbpolicy *new;
1091 if (so == NULL || pcb_sp == NULL)
1092 panic("ipsec_init_policy: NULL pointer was passed.");
1094 lwkt_gettoken(&key_token);
1096 new = ipsec_newpcbpolicy();
1098 ipseclog((LOG_DEBUG, "ipsec_init_policy: No more memory.\n"));
1099 lwkt_reltoken(&key_token);
1102 bzero(new, sizeof(*new));
1104 if (so->so_cred != NULL && so->so_cred->cr_uid == 0)
1109 if ((new->sp_in = key_newsp()) == NULL) {
1110 ipsec_delpcbpolicy(new);
1111 lwkt_reltoken(&key_token);
1114 new->sp_in->state = IPSEC_SPSTATE_ALIVE;
1115 new->sp_in->policy = IPSEC_POLICY_ENTRUST;
1117 if ((new->sp_out = key_newsp()) == NULL) {
1118 key_freesp(new->sp_in);
1119 ipsec_delpcbpolicy(new);
1120 lwkt_reltoken(&key_token);
1123 new->sp_out->state = IPSEC_SPSTATE_ALIVE;
1124 new->sp_out->policy = IPSEC_POLICY_ENTRUST;
1127 lwkt_reltoken(&key_token);
1132 /* copy old ipsec policy into new */
1134 ipsec_copy_policy(struct inpcbpolicy *old, struct inpcbpolicy *new)
1136 struct secpolicy *sp;
1138 lwkt_gettoken(&key_token);
1139 sp = ipsec_deepcopy_policy(old->sp_in);
1141 key_freesp(new->sp_in);
1144 lwkt_reltoken(&key_token);
1148 sp = ipsec_deepcopy_policy(old->sp_out);
1150 key_freesp(new->sp_out);
1153 lwkt_reltoken(&key_token);
1157 new->priv = old->priv;
1158 lwkt_reltoken(&key_token);
1163 /* deep-copy a policy in PCB */
1164 static struct secpolicy *
1165 ipsec_deepcopy_policy(struct secpolicy *src)
1167 struct ipsecrequest *newchain = NULL;
1168 struct ipsecrequest *p;
1169 struct ipsecrequest **q;
1170 struct ipsecrequest *r;
1171 struct secpolicy *dst;
1173 lwkt_gettoken(&key_token);
1175 if (src == NULL || dst == NULL) {
1176 lwkt_reltoken(&key_token);
1181 * deep-copy IPsec request chain. This is required since struct
1182 * ipsecrequest is not reference counted.
1185 for (p = src->req; p; p = p->next) {
1186 *q = (struct ipsecrequest *)kmalloc(sizeof(struct ipsecrequest),
1187 M_SECA, M_NOWAIT | M_ZERO);
1192 (*q)->saidx.proto = p->saidx.proto;
1193 (*q)->saidx.mode = p->saidx.mode;
1194 (*q)->level = p->level;
1195 (*q)->saidx.reqid = p->saidx.reqid;
1197 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
1198 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
1206 dst->req = newchain;
1207 dst->state = src->state;
1208 dst->policy = src->policy;
1209 /* do not touch the refcnt fields */
1210 lwkt_reltoken(&key_token);
1215 lwkt_reltoken(&key_token);
1216 for (p = newchain; p; p = r) {
1224 /* set policy and ipsec request if present. */
1226 ipsec_set_policy(struct secpolicy **pcb_sp, int optname, caddr_t request,
1227 size_t len, int priv)
1229 struct sadb_x_policy *xpl;
1230 struct secpolicy *newsp = NULL;
1234 if (pcb_sp == NULL || *pcb_sp == NULL || request == NULL)
1236 if (len < sizeof(*xpl))
1238 xpl = (struct sadb_x_policy *)request;
1240 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1241 kprintf("ipsec_set_policy: passed policy\n");
1242 kdebug_sadb_x_policy((struct sadb_ext *)xpl));
1244 /* check policy type */
1245 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1246 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD
1247 || xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
1250 /* check privileged socket */
1251 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS)
1254 /* allocation new SP entry */
1255 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
1258 newsp->state = IPSEC_SPSTATE_ALIVE;
1260 /* clear old SP and set new SP */
1261 key_freesp(*pcb_sp);
1263 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1264 kprintf("ipsec_set_policy: new policy\n");
1265 kdebug_secpolicy(newsp));
1271 ipsec_get_policy(struct secpolicy *pcb_sp, struct mbuf **mp)
1275 if (pcb_sp == NULL || mp == NULL)
1278 *mp = key_sp2msg(pcb_sp);
1280 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n"));
1284 KKASSERT((*mp)->m_type == MT_DATA);
1285 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1286 kprintf("ipsec_get_policy:\n");
1293 ipsec4_set_policy(struct inpcb *inp, int optname, caddr_t request, size_t len,
1296 struct sadb_x_policy *xpl;
1297 struct secpolicy **pcb_sp;
1301 if (inp == NULL || request == NULL)
1303 if (len < sizeof(*xpl))
1305 xpl = (struct sadb_x_policy *)request;
1307 lwkt_gettoken(&key_token);
1308 /* select direction */
1309 switch (xpl->sadb_x_policy_dir) {
1310 case IPSEC_DIR_INBOUND:
1311 pcb_sp = &inp->inp_sp->sp_in;
1313 case IPSEC_DIR_OUTBOUND:
1314 pcb_sp = &inp->inp_sp->sp_out;
1317 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1318 xpl->sadb_x_policy_dir));
1319 lwkt_reltoken(&key_token);
1322 error = ipsec_set_policy(pcb_sp, optname, request, len, priv);
1323 lwkt_reltoken(&key_token);
1328 ipsec4_get_policy(struct inpcb *inp, caddr_t request, size_t len,
1331 struct sadb_x_policy *xpl;
1332 struct secpolicy *pcb_sp;
1336 if (inp == NULL || request == NULL || mp == NULL)
1338 if (inp->inp_sp == NULL)
1339 panic("policy in PCB is NULL");
1340 if (len < sizeof(*xpl))
1342 xpl = (struct sadb_x_policy *)request;
1344 lwkt_gettoken(&key_token);
1346 /* select direction */
1347 switch (xpl->sadb_x_policy_dir) {
1348 case IPSEC_DIR_INBOUND:
1349 pcb_sp = inp->inp_sp->sp_in;
1351 case IPSEC_DIR_OUTBOUND:
1352 pcb_sp = inp->inp_sp->sp_out;
1355 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1356 xpl->sadb_x_policy_dir));
1357 lwkt_reltoken(&key_token);
1360 error = ipsec_get_policy(pcb_sp, mp);
1361 lwkt_reltoken(&key_token);
1365 /* delete policy in PCB */
1367 ipsec4_delete_pcbpolicy(struct inpcb *inp)
1369 struct inpcbpolicy *isp;
1373 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.");
1375 lwkt_gettoken(&key_token);
1377 if ((isp = inp->inp_sp) == NULL) {
1378 lwkt_reltoken(&key_token);
1382 if (isp->sp_in != NULL) {
1383 key_freesp(isp->sp_in);
1387 if (isp->sp_out != NULL) {
1388 key_freesp(isp->sp_out);
1391 KKASSERT(inp->inp_sp == isp);
1393 ipsec_delpcbpolicy(isp);
1394 lwkt_reltoken(&key_token);
1401 ipsec6_set_policy(struct in6pcb *in6p, int optname, caddr_t request, size_t len,
1404 struct sadb_x_policy *xpl;
1405 struct secpolicy **pcb_sp;
1409 if (in6p == NULL || request == NULL)
1411 if (len < sizeof(*xpl))
1413 xpl = (struct sadb_x_policy *)request;
1415 lwkt_gettoken(&key_token);
1417 /* select direction */
1418 switch (xpl->sadb_x_policy_dir) {
1419 case IPSEC_DIR_INBOUND:
1420 pcb_sp = &in6p->in6p_sp->sp_in;
1422 case IPSEC_DIR_OUTBOUND:
1423 pcb_sp = &in6p->in6p_sp->sp_out;
1426 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1427 xpl->sadb_x_policy_dir));
1428 lwkt_reltoken(&key_token);
1432 error = ipsec_set_policy(pcb_sp, optname, request, len, priv);
1433 lwkt_reltoken(&key_token);
1438 ipsec6_get_policy(struct in6pcb *in6p, caddr_t request, size_t len,
1441 struct sadb_x_policy *xpl;
1442 struct secpolicy *pcb_sp;
1446 if (in6p == NULL || request == NULL || mp == NULL)
1448 if (in6p->in6p_sp == NULL)
1449 panic("policy in PCB is NULL");
1450 if (len < sizeof(*xpl))
1452 xpl = (struct sadb_x_policy *)request;
1454 lwkt_gettoken(&key_token);
1456 /* select direction */
1457 switch (xpl->sadb_x_policy_dir) {
1458 case IPSEC_DIR_INBOUND:
1459 pcb_sp = in6p->in6p_sp->sp_in;
1461 case IPSEC_DIR_OUTBOUND:
1462 pcb_sp = in6p->in6p_sp->sp_out;
1465 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1466 xpl->sadb_x_policy_dir));
1467 lwkt_reltoken(&key_token);
1471 error = ipsec_get_policy(pcb_sp, mp);
1472 lwkt_reltoken(&key_token);
1477 ipsec6_delete_pcbpolicy(struct in6pcb *in6p)
1479 struct inpcbpolicy *isp;
1483 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.");
1485 lwkt_gettoken(&key_token);
1487 if ((isp = in6p->in6p_sp) == NULL) {
1488 lwkt_reltoken(&key_token);
1492 if (isp->sp_in != NULL) {
1493 key_freesp(isp->sp_in);
1497 if (isp->sp_out != NULL) {
1498 key_freesp(isp->sp_out);
1501 KKASSERT(in6p->in6p_sp == isp);
1502 in6p->in6p_sp = NULL;
1503 ipsec_delpcbpolicy(isp);
1504 lwkt_reltoken(&key_token);
1511 * return current level.
1512 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1515 ipsec_get_reqlevel(struct ipsecrequest *isr)
1518 u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev;
1521 if (isr == NULL || isr->sp == NULL)
1522 panic("ipsec_get_reqlevel: NULL pointer is passed.");
1523 if (((struct sockaddr *)&isr->sp->spidx.src)->sa_family
1524 != ((struct sockaddr *)&isr->sp->spidx.dst)->sa_family)
1525 panic("ipsec_get_reqlevel: family mismatched.");
1527 /* XXX note that we have ipseclog() expanded here - code sync issue */
1528 #define IPSEC_CHECK_DEFAULT(lev) \
1529 (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \
1530 && (lev) != IPSEC_LEVEL_UNIQUE) \
1532 ? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\
1533 (lev), IPSEC_LEVEL_REQUIRE) \
1535 (lev) = IPSEC_LEVEL_REQUIRE, \
1539 /* set default level */
1540 switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) {
1543 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev);
1544 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev);
1545 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev);
1546 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev);
1551 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev);
1552 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev);
1553 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev);
1554 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev);
1558 panic("key_get_reqlevel: Unknown family. %d",
1559 ((struct sockaddr *)&isr->sp->spidx.src)->sa_family);
1562 #undef IPSEC_CHECK_DEFAULT
1565 switch (isr->level) {
1566 case IPSEC_LEVEL_DEFAULT:
1567 switch (isr->saidx.proto) {
1569 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1570 level = esp_net_deflev;
1572 level = esp_trans_deflev;
1575 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1576 level = ah_net_deflev;
1578 level = ah_trans_deflev;
1579 case IPPROTO_IPCOMP:
1581 * we don't really care, as IPcomp document says that
1582 * we shouldn't compress small packets
1584 level = IPSEC_LEVEL_USE;
1587 panic("ipsec_get_reqlevel: "
1588 "Illegal protocol defined %u",
1593 case IPSEC_LEVEL_USE:
1594 case IPSEC_LEVEL_REQUIRE:
1597 case IPSEC_LEVEL_UNIQUE:
1598 level = IPSEC_LEVEL_REQUIRE;
1602 panic("ipsec_get_reqlevel: Illegal IPsec level %u",
1610 * Check AH/ESP integrity.
1616 ipsec_in_reject(struct secpolicy *sp, struct mbuf *m)
1618 struct ipsecrequest *isr;
1620 int need_auth, need_conf, need_icv;
1622 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1623 kprintf("ipsec_in_reject: using SP\n");
1624 kdebug_secpolicy(sp));
1627 switch (sp->policy) {
1628 case IPSEC_POLICY_DISCARD:
1630 case IPSEC_POLICY_BYPASS:
1631 case IPSEC_POLICY_NONE:
1634 case IPSEC_POLICY_IPSEC:
1637 case IPSEC_POLICY_ENTRUST:
1639 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy);
1646 /* XXX should compare policy against ipsec header history */
1648 for (isr = sp->req; isr != NULL; isr = isr->next) {
1650 /* get current level */
1651 level = ipsec_get_reqlevel(isr);
1653 switch (isr->saidx.proto) {
1655 if (level == IPSEC_LEVEL_REQUIRE) {
1658 if (isr->sav != NULL
1659 && isr->sav->flags == SADB_X_EXT_NONE
1660 && isr->sav->alg_auth != SADB_AALG_NONE)
1665 if (level == IPSEC_LEVEL_REQUIRE) {
1670 case IPPROTO_IPCOMP:
1672 * we don't really care, as IPcomp document says that
1673 * we shouldn't compress small packets, IPComp policy
1674 * should always be treated as being in "use" level.
1680 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1681 kprintf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
1682 need_auth, need_conf, need_icv, m->m_flags));
1684 if ((need_conf && !(m->m_flags & M_DECRYPTED))
1685 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM))
1686 || (need_auth && !(m->m_flags & M_AUTHIPHDR)))
1693 * Check AH/ESP integrity.
1694 * This function is called from tcp_input(), udp_input(),
1695 * and {ah,esp}4_input for tunnel mode
1698 ipsec4_in_reject_so(struct mbuf *m, struct socket *so)
1700 struct secpolicy *sp = NULL;
1706 return 0; /* XXX should be panic ? */
1708 /* get SP for this packet.
1709 * When we are called from ip_forward(), we call
1710 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1712 lwkt_gettoken(&key_token);
1714 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1716 sp = ipsec4_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1719 lwkt_reltoken(&key_token);
1723 result = ipsec_in_reject(sp, m);
1724 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1725 kprintf("DP ipsec4_in_reject_so call free SP:%p\n", sp));
1727 lwkt_reltoken(&key_token);
1733 ipsec4_in_reject(struct mbuf *m, struct inpcb *inp)
1736 return ipsec4_in_reject_so(m, NULL);
1737 if (inp->inp_socket)
1738 return ipsec4_in_reject_so(m, inp->inp_socket);
1740 panic("ipsec4_in_reject: invalid inpcb/socket");
1745 * Check AH/ESP integrity.
1746 * This function is called from tcp6_input(), udp6_input(),
1747 * and {ah,esp}6_input for tunnel mode
1750 ipsec6_in_reject_so(struct mbuf *m, struct socket *so)
1752 struct secpolicy *sp = NULL;
1758 return 0; /* XXX should be panic ? */
1760 /* get SP for this packet.
1761 * When we are called from ip_forward(), we call
1762 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
1764 lwkt_gettoken(&key_token);
1766 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1768 sp = ipsec6_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1771 lwkt_reltoken(&key_token);
1772 return 0; /* XXX should be panic ? */
1775 result = ipsec_in_reject(sp, m);
1776 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1777 kprintf("DP ipsec6_in_reject_so call free SP:%p\n", sp));
1779 lwkt_reltoken(&key_token);
1785 ipsec6_in_reject(struct mbuf *m, struct in6pcb *in6p)
1788 return ipsec6_in_reject_so(m, NULL);
1789 if (in6p->in6p_socket)
1790 return ipsec6_in_reject_so(m, in6p->in6p_socket);
1792 panic("ipsec6_in_reject: invalid in6p/socket");
1797 * compute the byte size to be occupied by IPsec header.
1798 * in case it is tunneled, it includes the size of outer IP header.
1799 * NOTE: SP passed is free in this function.
1802 ipsec_hdrsiz(struct secpolicy *sp)
1804 struct ipsecrequest *isr;
1807 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1808 kprintf("ipsec_hdrsiz: using SP\n");
1809 kdebug_secpolicy(sp));
1812 switch (sp->policy) {
1813 case IPSEC_POLICY_DISCARD:
1814 case IPSEC_POLICY_BYPASS:
1815 case IPSEC_POLICY_NONE:
1818 case IPSEC_POLICY_IPSEC:
1821 case IPSEC_POLICY_ENTRUST:
1823 panic("ipsec_hdrsiz: Invalid policy found. %d", sp->policy);
1828 for (isr = sp->req; isr != NULL; isr = isr->next) {
1832 switch (isr->saidx.proto) {
1835 clen = esp_hdrsiz(isr);
1841 clen = ah_hdrsiz(isr);
1843 case IPPROTO_IPCOMP:
1844 clen = sizeof(struct ipcomp);
1848 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
1849 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) {
1851 clen += sizeof(struct ip);
1855 clen += sizeof(struct ip6_hdr);
1859 ipseclog((LOG_ERR, "ipsec_hdrsiz: "
1860 "unknown AF %d in IPsec tunnel SA\n",
1861 ((struct sockaddr *)&isr->saidx.dst)->sa_family));
1871 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
1873 ipsec4_hdrsiz(struct mbuf *m, u_int dir, struct inpcb *inp)
1875 struct secpolicy *sp = NULL;
1881 return 0; /* XXX should be panic ? */
1882 if (inp != NULL && inp->inp_socket == NULL)
1883 panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
1885 /* get SP for this packet.
1886 * When we are called from ip_forward(), we call
1887 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1889 lwkt_gettoken(&key_token);
1891 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1893 sp = ipsec4_getpolicybysock(m, dir, inp->inp_socket, &error);
1896 lwkt_reltoken(&key_token);
1897 return 0; /* XXX should be panic ? */
1900 size = ipsec_hdrsiz(sp);
1901 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1902 kprintf("DP ipsec4_hdrsiz call free SP:%p\n", sp));
1903 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1904 kprintf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size));
1906 lwkt_reltoken(&key_token);
1912 /* This function is called from ipsec6_hdrsize_tcp(),
1913 * and maybe from ip6_forward.()
1916 ipsec6_hdrsiz(struct mbuf *m, u_int dir, struct in6pcb *in6p)
1918 struct secpolicy *sp = NULL;
1924 return 0; /* XXX shoud be panic ? */
1925 if (in6p != NULL && in6p->in6p_socket == NULL)
1926 panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
1928 /* get SP for this packet */
1929 /* XXX Is it right to call with IP_FORWARDING. */
1930 lwkt_gettoken(&key_token);
1932 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1934 sp = ipsec6_getpolicybysock(m, dir, in6p->in6p_socket, &error);
1937 lwkt_reltoken(&key_token);
1940 size = ipsec_hdrsiz(sp);
1941 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1942 kprintf("DP ipsec6_hdrsiz call free SP:%p\n", sp));
1943 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1944 kprintf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size));
1946 lwkt_reltoken(&key_token);
1954 * encapsulate for ipsec tunnel.
1955 * ip->ip_src must be fixed later on.
1958 ipsec4_encapsulate(struct mbuf *m, struct secasvar *sav)
1965 /* can't tunnel between different AFs */
1966 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
1967 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
1968 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
1973 /* XXX if the dst is myself, perform nothing. */
1974 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
1980 if (m->m_len < sizeof(*ip))
1981 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
1983 ip = mtod(m, struct ip *);
1985 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
1987 hlen = ip->ip_hl << 2;
1990 if (m->m_len != hlen)
1991 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
1993 /* generate header checksum */
1996 if (ip->ip_vhl == IP_VHL_BORING)
1997 ip->ip_sum = in_cksum_hdr(ip);
1999 ip->ip_sum = in_cksum(m, hlen);
2001 ip->ip_sum = in_cksum(m, hlen);
2004 plen = m->m_pkthdr.len;
2007 * grow the mbuf to accomodate the new IPv4 header.
2008 * NOTE: IPv4 options will never be copied.
2010 if (M_LEADINGSPACE(m->m_next) < hlen) {
2012 MGET(n, MB_DONTWAIT, MT_DATA);
2018 n->m_next = m->m_next;
2020 m->m_pkthdr.len += hlen;
2021 oip = mtod(n, struct ip *);
2023 m->m_next->m_len += hlen;
2024 m->m_next->m_data -= hlen;
2025 m->m_pkthdr.len += hlen;
2026 oip = mtod(m->m_next, struct ip *);
2028 ip = mtod(m, struct ip *);
2029 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
2030 m->m_len = sizeof(struct ip);
2031 m->m_pkthdr.len -= (hlen - sizeof(struct ip));
2033 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
2034 /* ECN consideration. */
2035 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
2037 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2);
2039 ip->ip_hl = sizeof(struct ip) >> 2;
2041 ip->ip_off &= htons(~IP_OFFMASK);
2042 ip->ip_off &= htons(~IP_MF);
2043 switch (ip4_ipsec_dfbit) {
2044 case 0: /* clear DF bit */
2045 ip->ip_off &= htons(~IP_DF);
2047 case 1: /* set DF bit */
2048 ip->ip_off |= htons(IP_DF);
2050 default: /* copy DF bit */
2053 ip->ip_p = IPPROTO_IPIP;
2054 if (plen + sizeof(struct ip) < IP_MAXPACKET)
2055 ip->ip_len = htons(plen + sizeof(struct ip));
2057 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
2058 "leave ip_len as is (invalid packet)\n"));
2061 ip->ip_id = ip_randomid();
2063 ip->ip_id = htons(ip_id++);
2065 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
2066 &ip->ip_src, sizeof(ip->ip_src));
2067 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
2068 &ip->ip_dst, sizeof(ip->ip_dst));
2069 ip->ip_ttl = IPDEFTTL;
2071 /* XXX Should ip_src be updated later ? */
2079 ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav)
2081 struct ip6_hdr *oip6;
2082 struct ip6_hdr *ip6;
2085 /* can't tunnel between different AFs */
2086 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2087 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2088 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2093 /* XXX if the dst is myself, perform nothing. */
2094 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2100 plen = m->m_pkthdr.len;
2103 * grow the mbuf to accomodate the new IPv6 header.
2105 if (m->m_len != sizeof(struct ip6_hdr))
2106 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2107 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
2109 MGET(n, MB_DONTWAIT, MT_DATA);
2114 n->m_len = sizeof(struct ip6_hdr);
2115 n->m_next = m->m_next;
2117 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2118 oip6 = mtod(n, struct ip6_hdr *);
2120 m->m_next->m_len += sizeof(struct ip6_hdr);
2121 m->m_next->m_data -= sizeof(struct ip6_hdr);
2122 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2123 oip6 = mtod(m->m_next, struct ip6_hdr *);
2125 ip6 = mtod(m, struct ip6_hdr *);
2126 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
2128 /* Fake link-local scope-class addresses */
2129 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_src))
2130 oip6->ip6_src.s6_addr16[1] = 0;
2131 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_dst))
2132 oip6->ip6_dst.s6_addr16[1] = 0;
2134 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
2135 /* ECN consideration. */
2136 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
2137 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
2138 ip6->ip6_plen = htons(plen);
2140 /* ip6->ip6_plen will be updated in ip6_output() */
2142 ip6->ip6_nxt = IPPROTO_IPV6;
2143 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr,
2144 &ip6->ip6_src, sizeof(ip6->ip6_src));
2145 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr,
2146 &ip6->ip6_dst, sizeof(ip6->ip6_dst));
2147 ip6->ip6_hlim = IPV6_DEFHLIM;
2149 /* XXX Should ip6_src be updated later ? */
2156 * Check the variable replay window.
2157 * ipsec_chkreplay() performs replay check before ICV verification.
2158 * ipsec_updatereplay() updates replay bitmap. This must be called after
2159 * ICV verification (it also performs replay check, which is usually done
2161 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
2163 * based on RFC 2401.
2166 ipsec_chkreplay(u_int32_t seq, struct secasvar *sav)
2168 const struct secreplay *replay;
2171 u_int32_t wsizeb; /* constant: bits of window size */
2172 int frlast; /* constant: last frame */
2176 panic("ipsec_chkreplay: NULL pointer was passed.");
2178 replay = sav->replay;
2180 if (replay->wsize == 0)
2181 return 1; /* no need to check replay. */
2184 frlast = replay->wsize - 1;
2185 wsizeb = replay->wsize << 3;
2187 /* sequence number of 0 is invalid */
2191 /* first time is always okay */
2192 if (replay->count == 0)
2195 if (seq > replay->lastseq) {
2196 /* larger sequences are okay */
2199 /* seq is equal or less than lastseq. */
2200 diff = replay->lastseq - seq;
2202 /* over range to check, i.e. too old or wrapped */
2206 fr = frlast - diff / 8;
2208 /* this packet already seen ? */
2209 if ((replay->bitmap)[fr] & (1 << (diff % 8)))
2212 /* out of order but good */
2218 * check replay counter whether to update or not.
2223 ipsec_updatereplay(u_int32_t seq, struct secasvar *sav)
2225 struct secreplay *replay;
2228 u_int32_t wsizeb; /* constant: bits of window size */
2229 int frlast; /* constant: last frame */
2233 panic("ipsec_chkreplay: NULL pointer was passed.");
2235 replay = sav->replay;
2237 if (replay->wsize == 0)
2238 goto ok; /* no need to check replay. */
2241 frlast = replay->wsize - 1;
2242 wsizeb = replay->wsize << 3;
2244 /* sequence number of 0 is invalid */
2249 if (replay->count == 0) {
2250 replay->lastseq = seq;
2251 bzero(replay->bitmap, replay->wsize);
2252 (replay->bitmap)[frlast] = 1;
2256 if (seq > replay->lastseq) {
2257 /* seq is larger than lastseq. */
2258 diff = seq - replay->lastseq;
2260 /* new larger sequence number */
2261 if (diff < wsizeb) {
2263 /* set bit for this packet */
2264 vshiftl(replay->bitmap, diff, replay->wsize);
2265 (replay->bitmap)[frlast] |= 1;
2267 /* this packet has a "way larger" */
2268 bzero(replay->bitmap, replay->wsize);
2269 (replay->bitmap)[frlast] = 1;
2271 replay->lastseq = seq;
2273 /* larger is good */
2275 /* seq is equal or less than lastseq. */
2276 diff = replay->lastseq - seq;
2278 /* over range to check, i.e. too old or wrapped */
2282 fr = frlast - diff / 8;
2284 /* this packet already seen ? */
2285 if ((replay->bitmap)[fr] & (1 << (diff % 8)))
2289 (replay->bitmap)[fr] |= (1 << (diff % 8));
2291 /* out of order but good */
2295 if (replay->count == ~0) {
2297 /* set overflow flag */
2300 /* don't increment, no more packets accepted */
2301 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
2304 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
2305 replay->overflow, ipsec_logsastr(sav)));
2314 * shift variable length buffer to left.
2315 * IN: bitmap: pointer to the buffer
2316 * nbit: the number of to shift.
2317 * wsize: buffer size (bytes).
2320 vshiftl(unsigned char *bitmap, int nbit, int wsize)
2325 for (j = 0; j < nbit; j += 8) {
2326 s = (nbit - j < 8) ? (nbit - j): 8;
2328 for (i = 1; i < wsize; i++) {
2329 over = (bitmap[i] >> (8 - s));
2331 bitmap[i-1] |= over;
2339 ipsec4_logpacketstr(struct ip *ip, u_int32_t spi)
2341 static char buf[256];
2345 s = (u_int8_t *)(&ip->ip_src);
2346 d = (u_int8_t *)(&ip->ip_dst);
2349 ksnprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2352 ksnprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u",
2353 s[0], s[1], s[2], s[3]);
2356 ksnprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u",
2357 d[0], d[1], d[2], d[3]);
2360 ksnprintf(p, sizeof(buf) - (p - buf), ")");
2367 ipsec6_logpacketstr(struct ip6_hdr *ip6, u_int32_t spi)
2369 static char buf[256];
2373 ksnprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2376 ksnprintf(p, sizeof(buf) - (p - buf), "src=%s",
2377 ip6_sprintf(&ip6->ip6_src));
2380 ksnprintf(p, sizeof(buf) - (p - buf), " dst=%s",
2381 ip6_sprintf(&ip6->ip6_dst));
2384 ksnprintf(p, sizeof(buf) - (p - buf), ")");
2391 ipsec_logsastr(struct secasvar *sav)
2393 static char buf[256];
2395 struct secasindex *saidx = &sav->sah->saidx;
2397 /* validity check */
2398 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2399 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family)
2400 panic("ipsec_logsastr: family mismatched.");
2403 ksnprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
2406 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) {
2408 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr;
2409 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr;
2410 ksnprintf(p, sizeof(buf) - (p - buf),
2411 "src=%d.%d.%d.%d dst=%d.%d.%d.%d",
2412 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
2415 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) {
2416 ksnprintf(p, sizeof(buf) - (p - buf),
2418 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr));
2421 ksnprintf(p, sizeof(buf) - (p - buf),
2423 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr));
2428 ksnprintf(p, sizeof(buf) - (p - buf), ")");
2434 ipsec_dumpmbuf(struct mbuf *m)
2443 p = mtod(m, u_char *);
2444 for (i = 0; i < m->m_len; i++) {
2445 kprintf("%02x ", p[i]);
2447 if (totlen % 16 == 0)
2452 if (totlen % 16 != 0)
2459 * IPsec output logic for IPv4.
2462 ipsec4_output(struct ipsec_output_state *state, struct secpolicy *sp, int flags)
2464 struct ip *ip = NULL;
2465 struct ipsecrequest *isr = NULL;
2466 struct secasindex saidx;
2468 struct sockaddr_in *dst4;
2469 struct sockaddr_in *sin;
2472 panic("state == NULL in ipsec4_output");
2474 panic("state->m == NULL in ipsec4_output");
2476 panic("state->ro == NULL in ipsec4_output");
2478 panic("state->dst == NULL in ipsec4_output");
2480 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2481 kprintf("ipsec4_output: applyed SP\n");
2482 kdebug_secpolicy(sp));
2484 for (isr = sp->req; isr != NULL; isr = isr->next) {
2486 #if 0 /* give up to check restriction of transport mode */
2487 /* XXX but should be checked somewhere */
2489 * some of the IPsec operation must be performed only in
2492 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT
2493 && (flags & IP_FORWARDING))
2497 /* make SA index for search proper SA */
2498 ip = mtod(state->m, struct ip *);
2499 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2500 saidx.mode = isr->saidx.mode;
2501 saidx.reqid = isr->saidx.reqid;
2502 sin = (struct sockaddr_in *)&saidx.src;
2503 if (sin->sin_len == 0) {
2504 sin->sin_len = sizeof(*sin);
2505 sin->sin_family = AF_INET;
2506 sin->sin_port = IPSEC_PORT_ANY;
2507 bcopy(&ip->ip_src, &sin->sin_addr,
2508 sizeof(sin->sin_addr));
2510 sin = (struct sockaddr_in *)&saidx.dst;
2511 if (sin->sin_len == 0) {
2512 sin->sin_len = sizeof(*sin);
2513 sin->sin_family = AF_INET;
2514 sin->sin_port = IPSEC_PORT_ANY;
2515 bcopy(&ip->ip_dst, &sin->sin_addr,
2516 sizeof(sin->sin_addr));
2519 if ((error = key_checkrequest(isr, &saidx)) != 0) {
2521 * IPsec processing is required, but no SA found.
2522 * I assume that key_acquire() had been called
2523 * to get/establish the SA. Here I discard
2524 * this packet because it is responsibility for
2525 * upper layer to retransmit the packet.
2527 ipsecstat.out_nosa++;
2531 /* validity check */
2532 if (isr->sav == NULL) {
2533 switch (ipsec_get_reqlevel(isr)) {
2534 case IPSEC_LEVEL_USE:
2536 case IPSEC_LEVEL_REQUIRE:
2537 /* must be not reached here. */
2538 panic("ipsec4_output: no SA found, but required.");
2543 * If there is no valid SA, we give up to process any
2544 * more. In such a case, the SA's status is changed
2545 * from DYING to DEAD after allocating. If a packet
2546 * send to the receiver by dead SA, the receiver can
2547 * not decode a packet because SA has been dead.
2549 if (isr->sav->state != SADB_SASTATE_MATURE
2550 && isr->sav->state != SADB_SASTATE_DYING) {
2551 ipsecstat.out_nosa++;
2557 * There may be the case that SA status will be changed when
2558 * we are refering to one. So calling crit_enter().
2562 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2564 * build IPsec tunnel.
2566 /* XXX should be processed with other familiy */
2567 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) {
2568 ipseclog((LOG_ERR, "ipsec4_output: "
2569 "family mismatched between inner and outer spi=%u\n",
2570 (u_int32_t)ntohl(isr->sav->spi)));
2572 error = EAFNOSUPPORT;
2576 state->m = ipsec4_splithdr(state->m);
2582 error = ipsec4_encapsulate(state->m, isr->sav);
2588 ip = mtod(state->m, struct ip *);
2590 state->ro = &isr->sav->sah->sa_route;
2591 state->dst = (struct sockaddr *)&state->ro->ro_dst;
2592 dst4 = (struct sockaddr_in *)state->dst;
2593 if (state->ro->ro_rt
2594 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
2595 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) {
2596 RTFREE(state->ro->ro_rt);
2597 state->ro->ro_rt = NULL;
2599 if (state->ro->ro_rt == NULL) {
2600 dst4->sin_family = AF_INET;
2601 dst4->sin_len = sizeof(*dst4);
2602 dst4->sin_addr = ip->ip_dst;
2605 if (state->ro->ro_rt == NULL) {
2606 ipstat.ips_noroute++;
2607 error = EHOSTUNREACH;
2611 /* adjust state->dst if tunnel endpoint is offlink */
2612 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
2613 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
2614 dst4 = (struct sockaddr_in *)state->dst;
2619 state->m = ipsec4_splithdr(state->m);
2624 switch (isr->saidx.proto) {
2627 if ((error = esp4_output(state->m, isr)) != 0) {
2639 if ((error = ah4_output(state->m, isr)) != 0) {
2644 case IPPROTO_IPCOMP:
2645 if ((error = ipcomp4_output(state->m, isr)) != 0) {
2652 "ipsec4_output: unknown ipsec protocol %d\n",
2660 if (state->m == NULL) {
2664 ip = mtod(state->m, struct ip *);
2678 * IPsec output logic for IPv6, transport mode.
2681 ipsec6_output_trans(struct ipsec_output_state *state, u_char *nexthdrp,
2682 struct mbuf *mprev, struct secpolicy *sp, int flags,
2685 struct ip6_hdr *ip6;
2686 struct ipsecrequest *isr = NULL;
2687 struct secasindex saidx;
2690 struct sockaddr_in6 *sin6;
2693 panic("state == NULL in ipsec6_output_trans");
2695 panic("state->m == NULL in ipsec6_output_trans");
2697 panic("nexthdrp == NULL in ipsec6_output_trans");
2699 panic("mprev == NULL in ipsec6_output_trans");
2701 panic("sp == NULL in ipsec6_output_trans");
2703 panic("tun == NULL in ipsec6_output_trans");
2705 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2706 kprintf("ipsec6_output_trans: applyed SP\n");
2707 kdebug_secpolicy(sp));
2709 lwkt_gettoken(&key_token);
2712 for (isr = sp->req; isr; isr = isr->next) {
2713 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2714 /* the rest will be handled by ipsec6_output_tunnel() */
2718 /* make SA index for search proper SA */
2719 ip6 = mtod(state->m, struct ip6_hdr *);
2720 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2721 saidx.mode = isr->saidx.mode;
2722 saidx.reqid = isr->saidx.reqid;
2723 sin6 = (struct sockaddr_in6 *)&saidx.src;
2724 if (sin6->sin6_len == 0) {
2725 sin6->sin6_len = sizeof(*sin6);
2726 sin6->sin6_family = AF_INET6;
2727 sin6->sin6_port = IPSEC_PORT_ANY;
2728 bcopy(&ip6->ip6_src, &sin6->sin6_addr,
2729 sizeof(ip6->ip6_src));
2730 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
2731 /* fix scope id for comparing SPD */
2732 sin6->sin6_addr.s6_addr16[1] = 0;
2733 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
2736 sin6 = (struct sockaddr_in6 *)&saidx.dst;
2737 if (sin6->sin6_len == 0) {
2738 sin6->sin6_len = sizeof(*sin6);
2739 sin6->sin6_family = AF_INET6;
2740 sin6->sin6_port = IPSEC_PORT_ANY;
2741 bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
2742 sizeof(ip6->ip6_dst));
2743 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
2744 /* fix scope id for comparing SPD */
2745 sin6->sin6_addr.s6_addr16[1] = 0;
2746 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
2750 if (key_checkrequest(isr, &saidx) == ENOENT) {
2752 * IPsec processing is required, but no SA found.
2753 * I assume that key_acquire() had been called
2754 * to get/establish the SA. Here I discard
2755 * this packet because it is responsibility for
2756 * upper layer to retransmit the packet.
2758 ipsec6stat.out_nosa++;
2762 * Notify the fact that the packet is discarded
2763 * to ourselves. I believe this is better than
2764 * just silently discarding. (jinmei@kame.net)
2765 * XXX: should we restrict the error to TCP packets?
2766 * XXX: should we directly notify sockets via
2769 icmp6_error(state->m, ICMP6_DST_UNREACH,
2770 ICMP6_DST_UNREACH_ADMIN, 0);
2771 state->m = NULL; /* icmp6_error freed the mbuf */
2775 /* validity check */
2776 if (isr->sav == NULL) {
2777 switch (ipsec_get_reqlevel(isr)) {
2778 case IPSEC_LEVEL_USE:
2780 case IPSEC_LEVEL_REQUIRE:
2781 /* must be not reached here. */
2782 panic("ipsec6_output_trans: no SA found, but required.");
2787 * If there is no valid SA, we give up to process.
2788 * see same place at ipsec4_output().
2790 if (isr->sav->state != SADB_SASTATE_MATURE
2791 && isr->sav->state != SADB_SASTATE_DYING) {
2792 ipsec6stat.out_nosa++;
2797 switch (isr->saidx.proto) {
2800 error = esp6_output(state->m, nexthdrp, mprev->m_next, isr);
2807 error = ah6_output(state->m, nexthdrp, mprev->m_next, isr);
2809 case IPPROTO_IPCOMP:
2810 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr);
2813 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2814 "unknown ipsec protocol %d\n", isr->saidx.proto));
2816 ipsec6stat.out_inval++;
2824 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
2825 if (plen > IPV6_MAXPACKET) {
2826 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2827 "IPsec with IPv6 jumbogram is not supported\n"));
2828 ipsec6stat.out_inval++;
2829 error = EINVAL; /* XXX */
2832 ip6 = mtod(state->m, struct ip6_hdr *);
2833 ip6->ip6_plen = htons(plen);
2836 /* if we have more to go, we need a tunnel mode processing */
2839 lwkt_reltoken(&key_token);
2843 lwkt_reltoken(&key_token);
2850 * IPsec output logic for IPv6, tunnel mode.
2853 ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp,
2856 struct ip6_hdr *ip6;
2857 struct ipsecrequest *isr = NULL;
2858 struct secasindex saidx;
2861 struct sockaddr_in6* dst6;
2864 panic("state == NULL in ipsec6_output_tunnel");
2866 panic("state->m == NULL in ipsec6_output_tunnel");
2868 panic("sp == NULL in ipsec6_output_tunnel");
2870 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2871 kprintf("ipsec6_output_tunnel: applyed SP\n");
2872 kdebug_secpolicy(sp));
2875 * transport mode ipsec (before the 1st tunnel mode) is already
2876 * processed by ipsec6_output_trans().
2878 lwkt_gettoken(&key_token);
2879 for (isr = sp->req; isr; isr = isr->next) {
2880 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
2884 for (/* already initialized */; isr; isr = isr->next) {
2885 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2886 /* When tunnel mode, SA peers must be specified. */
2887 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2889 /* make SA index to look for a proper SA */
2890 struct sockaddr_in6 *sin6;
2892 bzero(&saidx, sizeof(saidx));
2893 saidx.proto = isr->saidx.proto;
2894 saidx.mode = isr->saidx.mode;
2895 saidx.reqid = isr->saidx.reqid;
2897 ip6 = mtod(state->m, struct ip6_hdr *);
2898 sin6 = (struct sockaddr_in6 *)&saidx.src;
2899 if (sin6->sin6_len == 0) {
2900 sin6->sin6_len = sizeof(*sin6);
2901 sin6->sin6_family = AF_INET6;
2902 sin6->sin6_port = IPSEC_PORT_ANY;
2903 bcopy(&ip6->ip6_src, &sin6->sin6_addr,
2904 sizeof(ip6->ip6_src));
2905 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
2906 /* fix scope id for comparing SPD */
2907 sin6->sin6_addr.s6_addr16[1] = 0;
2908 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
2911 sin6 = (struct sockaddr_in6 *)&saidx.dst;
2912 if (sin6->sin6_len == 0) {
2913 sin6->sin6_len = sizeof(*sin6);
2914 sin6->sin6_family = AF_INET6;
2915 sin6->sin6_port = IPSEC_PORT_ANY;
2916 bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
2917 sizeof(ip6->ip6_dst));
2918 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
2919 /* fix scope id for comparing SPD */
2920 sin6->sin6_addr.s6_addr16[1] = 0;
2921 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
2926 if (key_checkrequest(isr, &saidx) == ENOENT) {
2928 * IPsec processing is required, but no SA found.
2929 * I assume that key_acquire() had been called
2930 * to get/establish the SA. Here I discard
2931 * this packet because it is responsibility for
2932 * upper layer to retransmit the packet.
2934 ipsec6stat.out_nosa++;
2939 /* validity check */
2940 if (isr->sav == NULL) {
2941 switch (ipsec_get_reqlevel(isr)) {
2942 case IPSEC_LEVEL_USE:
2944 case IPSEC_LEVEL_REQUIRE:
2945 /* must be not reached here. */
2946 panic("ipsec6_output_tunnel: no SA found, but required.");
2951 * If there is no valid SA, we give up to process.
2952 * see same place at ipsec4_output().
2954 if (isr->sav->state != SADB_SASTATE_MATURE
2955 && isr->sav->state != SADB_SASTATE_DYING) {
2956 ipsec6stat.out_nosa++;
2962 * There may be the case that SA status will be changed when
2963 * we are refering to one. So calling crit_enter().
2967 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2969 * build IPsec tunnel.
2971 /* XXX should be processed with other familiy */
2972 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) {
2973 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
2974 "family mismatched between inner and outer, spi=%u\n",
2975 (u_int32_t)ntohl(isr->sav->spi)));
2977 ipsec6stat.out_inval++;
2978 error = EAFNOSUPPORT;
2982 state->m = ipsec6_splithdr(state->m);
2985 ipsec6stat.out_nomem++;
2989 error = ipsec6_encapsulate(state->m, isr->sav);
2995 ip6 = mtod(state->m, struct ip6_hdr *);
2997 state->ro = &isr->sav->sah->sa_route;
2998 state->dst = (struct sockaddr *)&state->ro->ro_dst;
2999 dst6 = (struct sockaddr_in6 *)state->dst;
3000 if (state->ro->ro_rt
3001 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
3002 || !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst))) {
3003 RTFREE(state->ro->ro_rt);
3004 state->ro->ro_rt = NULL;
3006 if (state->ro->ro_rt == NULL) {
3007 bzero(dst6, sizeof(*dst6));
3008 dst6->sin6_family = AF_INET6;
3009 dst6->sin6_len = sizeof(*dst6);
3010 dst6->sin6_addr = ip6->ip6_dst;
3013 if (state->ro->ro_rt == NULL) {
3014 ip6stat.ip6s_noroute++;
3015 ipsec6stat.out_noroute++;
3016 error = EHOSTUNREACH;
3020 /* adjust state->dst if tunnel endpoint is offlink */
3021 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
3022 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
3023 dst6 = (struct sockaddr_in6 *)state->dst;
3028 state->m = ipsec6_splithdr(state->m);
3030 ipsec6stat.out_nomem++;
3034 ip6 = mtod(state->m, struct ip6_hdr *);
3035 switch (isr->saidx.proto) {
3038 error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr);
3045 error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr);
3047 case IPPROTO_IPCOMP:
3048 /* XXX code should be here */
3051 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3052 "unknown ipsec protocol %d\n", isr->saidx.proto));
3054 ipsec6stat.out_inval++;
3062 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
3063 if (plen > IPV6_MAXPACKET) {
3064 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3065 "IPsec with IPv6 jumbogram is not supported\n"));
3066 ipsec6stat.out_inval++;
3067 error = EINVAL; /* XXX */
3070 ip6 = mtod(state->m, struct ip6_hdr *);
3071 ip6->ip6_plen = htons(plen);
3073 lwkt_reltoken(&key_token);
3078 lwkt_reltoken(&key_token);
3087 * Chop IP header and option off from the payload.
3089 static struct mbuf *
3090 ipsec4_splithdr(struct mbuf *m)
3096 if (m->m_len < sizeof(struct ip))
3097 panic("ipsec4_splithdr: first mbuf too short");
3098 ip = mtod(m, struct ip *);
3100 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
3102 hlen = ip->ip_hl << 2;
3104 if (m->m_len > hlen) {
3105 MGETHDR(mh, MB_DONTWAIT, MT_HEADER);
3110 M_MOVE_PKTHDR(mh, m);
3117 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen);
3118 } else if (m->m_len < hlen) {
3119 m = m_pullup(m, hlen);
3128 static struct mbuf *
3129 ipsec6_splithdr(struct mbuf *m)
3132 struct ip6_hdr *ip6;
3135 if (m->m_len < sizeof(struct ip6_hdr))
3136 panic("ipsec6_splithdr: first mbuf too short");
3137 ip6 = mtod(m, struct ip6_hdr *);
3138 hlen = sizeof(struct ip6_hdr);
3139 if (m->m_len > hlen) {
3140 MGETHDR(mh, MB_DONTWAIT, MT_HEADER);
3145 M_MOVE_PKTHDR(mh, m);
3152 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
3153 } else if (m->m_len < hlen) {
3154 m = m_pullup(m, hlen);
3162 /* validate inbound IPsec tunnel packet. */
3164 ipsec4_tunnel_validate(struct mbuf *m, /* no pullup permitted, m->m_len >= ip */
3165 int off, u_int nxt0, struct secasvar *sav)
3167 u_int8_t nxt = nxt0 & 0xff;
3168 struct sockaddr_in *sin;
3169 struct sockaddr_in osrc, odst, isrc, idst;
3171 struct secpolicy *sp;
3175 if (m->m_len < sizeof(struct ip))
3176 panic("too short mbuf on ipsec4_tunnel_validate");
3178 if (nxt != IPPROTO_IPV4)
3180 if (m->m_pkthdr.len < off + sizeof(struct ip))
3182 /* do not decapsulate if the SA is for transport mode only */
3183 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3186 oip = mtod(m, struct ip *);
3188 hlen = _IP_VHL_HL(oip->ip_vhl) << 2;
3190 hlen = oip->ip_hl << 2;
3192 if (hlen != sizeof(struct ip))
3195 /* AF_INET6 should be supported, but at this moment we don't. */
3196 sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
3197 if (sin->sin_family != AF_INET)
3199 if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != 0)
3203 bzero(&osrc, sizeof(osrc));
3204 bzero(&odst, sizeof(odst));
3205 bzero(&isrc, sizeof(isrc));
3206 bzero(&idst, sizeof(idst));
3207 osrc.sin_family = odst.sin_family = isrc.sin_family = idst.sin_family =
3209 osrc.sin_len = odst.sin_len = isrc.sin_len = idst.sin_len =
3210 sizeof(struct sockaddr_in);
3211 osrc.sin_addr = oip->ip_src;
3212 odst.sin_addr = oip->ip_dst;
3213 m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(isrc.sin_addr),
3214 (caddr_t)&isrc.sin_addr);
3215 m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(idst.sin_addr),
3216 (caddr_t)&idst.sin_addr);
3219 * RFC2401 5.2.1 (b): (assume that we are using tunnel mode)
3220 * - if the inner destination is multicast address, there can be
3221 * multiple permissible inner source address. implementation
3222 * may want to skip verification of inner source address against
3224 * - if the inner protocol is ICMP, the packet may be an error report
3225 * from routers on the other side of the VPN cloud (R in the
3226 * following diagram). in this case, we cannot verify inner source
3227 * address against SPD selector.
3228 * me -- gw === gw -- R -- you
3230 * we consider the first bullet to be users responsibility on SPD entry
3231 * configuration (if you need to encrypt multicast traffic, set
3232 * the source range of SPD selector to 0.0.0.0/0, or have explicit
3233 * address ranges for possible senders).
3234 * the second bullet is not taken care of (yet).
3236 * therefore, we do not do anything special about inner source.
3239 lwkt_gettoken(&key_token);
3240 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3241 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3244 lwkt_reltoken(&key_token);
3247 lwkt_reltoken(&key_token);
3253 /* validate inbound IPsec tunnel packet. */
3255 ipsec6_tunnel_validate(struct mbuf *m, /* no pullup permitted, m->m_len >= ip */
3256 int off, u_int nxt0, struct secasvar *sav)
3258 u_int8_t nxt = nxt0 & 0xff;
3259 struct sockaddr_in6 *sin6;
3260 struct sockaddr_in6 osrc, odst, isrc, idst;
3261 struct secpolicy *sp;
3262 struct ip6_hdr *oip6;
3265 if (m->m_len < sizeof(struct ip6_hdr))
3266 panic("too short mbuf on ipsec6_tunnel_validate");
3268 if (nxt != IPPROTO_IPV6)
3270 if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr))
3272 /* do not decapsulate if the SA is for transport mode only */
3273 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3276 oip6 = mtod(m, struct ip6_hdr *);
3277 /* AF_INET should be supported, but at this moment we don't. */
3278 sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst;
3279 if (sin6->sin6_family != AF_INET6)
3281 if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr))
3285 bzero(&osrc, sizeof(osrc));
3286 bzero(&odst, sizeof(odst));
3287 bzero(&isrc, sizeof(isrc));
3288 bzero(&idst, sizeof(idst));
3289 osrc.sin6_family = odst.sin6_family = isrc.sin6_family =
3290 idst.sin6_family = AF_INET6;
3291 osrc.sin6_len = odst.sin6_len = isrc.sin6_len = idst.sin6_len =
3292 sizeof(struct sockaddr_in6);
3293 osrc.sin6_addr = oip6->ip6_src;
3294 odst.sin6_addr = oip6->ip6_dst;
3295 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src),
3296 sizeof(isrc.sin6_addr), (caddr_t)&isrc.sin6_addr);
3297 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst),
3298 sizeof(idst.sin6_addr), (caddr_t)&idst.sin6_addr);
3301 * regarding to inner source address validation, see a long comment
3302 * in ipsec4_tunnel_validate.
3305 lwkt_gettoken(&key_token);
3306 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3307 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3309 * when there is no suitable inbound policy for the packet of the ipsec
3310 * tunnel mode, the kernel never decapsulate the tunneled packet
3311 * as the ipsec tunnel mode even when the system wide policy is "none".
3312 * then the kernel leaves the generic tunnel module to process this
3313 * packet. if there is no rule of the generic tunnel, the packet
3314 * is rejected and the statistics will be counted up.
3318 lwkt_reltoken(&key_token);
3321 lwkt_reltoken(&key_token);
3328 * Make a mbuf chain for encryption.
3329 * If the original mbuf chain contains a mbuf with a cluster,
3330 * allocate a new cluster and copy the data to the new cluster.
3331 * XXX: this hack is inefficient, but is necessary to handle cases
3332 * of TCP retransmission...
3335 ipsec_copypkt(struct mbuf *m)
3337 struct mbuf *n, **mpp, *mnew;
3339 for (n = m, mpp = &m; n; n = n->m_next) {
3340 if (n->m_flags & M_EXT) {
3342 * Make a copy only if there are more than one
3343 * references to the cluster.
3344 * XXX: is this approach effective?
3346 if (m_sharecount(n) > 1) {
3350 if (n->m_flags & M_PKTHDR) {
3351 MGETHDR(mnew, MB_DONTWAIT, MT_HEADER);
3354 if (!m_dup_pkthdr(mnew, n, MB_DONTWAIT)) {
3360 MGET(mnew, MB_DONTWAIT, MT_DATA);
3368 * Copy data. If we don't have enough space to
3369 * store the whole data, allocate a cluster
3370 * or additional mbufs.
3371 * XXX: we don't use m_copyback(), since the
3372 * function does not use clusters and thus is
3381 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN))
3383 else { /* allocate a cluster */
3384 MCLGET(mm, MB_DONTWAIT);
3385 if (!(mm->m_flags & M_EXT)) {
3389 len = remain < MCLBYTES ?
3393 bcopy(n->m_data + copied, mm->m_data,
3400 if (remain <= 0) /* completed? */
3403 /* need another mbuf */
3404 MGETHDR(mn, MB_DONTWAIT, MT_HEADER);
3407 mn->m_pkthdr.rcvif = NULL;
3413 mm->m_next = m_free(n);
3432 ipsec_delaux(struct mbuf *m)
3436 while ((tag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL)) != NULL)
3437 m_tag_delete(m, tag);
3441 ipsec_addhist(struct mbuf *m, int proto, u_int32_t spi)
3444 struct ipsec_history *p;
3446 tag = m_tag_get(PACKET_TAG_IPSEC_HISTORY,
3447 sizeof (struct ipsec_history), MB_DONTWAIT);
3450 p = (struct ipsec_history *)m_tag_data(tag);
3451 bzero(p, sizeof(*p));
3452 p->ih_proto = proto;
3454 m_tag_prepend(m, tag);
3458 struct ipsec_history *
3459 ipsec_gethist(struct mbuf *m, int *lenp)
3463 tag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL);
3466 /* XXX NB: noone uses this so fake it */
3468 *lenp = sizeof (struct ipsec_history);
3469 return ((struct ipsec_history *)(tag+1));