2 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * IPsec controller part.
38 #include "opt_inet6.h"
39 #include "opt_ipsec.h"
41 #include <sys/param.h>
42 #include <sys/systm.h>
43 #include <sys/malloc.h>
45 #include <sys/domain.h>
46 #include <sys/protosw.h>
47 #include <sys/socket.h>
48 #include <sys/socketvar.h>
49 #include <sys/errno.h>
51 #include <sys/kernel.h>
52 #include <sys/syslog.h>
53 #include <sys/sysctl.h>
57 #include <net/route.h>
59 #include <netinet/in.h>
60 #include <netinet/in_systm.h>
61 #include <netinet/ip.h>
62 #include <netinet/ip_var.h>
63 #include <netinet/in_var.h>
64 #include <netinet/udp.h>
65 #include <netinet/udp_var.h>
66 #include <netinet/ip_ecn.h>
68 #include <netinet6/ip6_ecn.h>
70 #include <netinet/tcp.h>
71 #include <netinet/udp.h>
73 #include <netinet/ip6.h>
75 #include <netinet6/ip6_var.h>
77 #include <netinet/in_pcb.h>
79 #include <netinet/icmp6.h>
82 #include <netinet6/ipsec.h>
84 #include <netinet6/ipsec6.h>
86 #include <netinet6/ah.h>
88 #include <netinet6/ah6.h>
91 #include <netinet6/esp.h>
93 #include <netinet6/esp6.h>
96 #include <netinet6/ipcomp.h>
98 #include <netinet6/ipcomp6.h>
100 #include <netkey/key.h>
101 #include <netkey/keydb.h>
102 #include <netkey/key_debug.h>
104 #include <machine/in_cksum.h>
106 #include <net/net_osdep.h>
114 struct ipsecstat ipsecstat;
115 int ip4_ah_cleartos = 1;
116 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
117 int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */
118 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
119 int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
120 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
121 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
122 struct secpolicy ip4_def_policy;
123 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
124 int ip4_esp_randpad = -1;
127 SYSCTL_DECL(_net_inet_ipsec);
129 SYSCTL_DECL(_net_inet6_ipsec6);
134 SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS,
135 stats, CTLFLAG_RD, &ipsecstat, ipsecstat, "");
136 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY,
137 def_policy, CTLFLAG_RW, &ip4_def_policy.policy, 0, "");
138 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
139 CTLFLAG_RW, &ip4_esp_trans_deflev, 0, "");
140 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
141 CTLFLAG_RW, &ip4_esp_net_deflev, 0, "");
142 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
143 CTLFLAG_RW, &ip4_ah_trans_deflev, 0, "");
144 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
145 CTLFLAG_RW, &ip4_ah_net_deflev, 0, "");
146 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
147 ah_cleartos, CTLFLAG_RW, &ip4_ah_cleartos, 0, "");
148 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
149 ah_offsetmask, CTLFLAG_RW, &ip4_ah_offsetmask, 0, "");
150 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT,
151 dfbit, CTLFLAG_RW, &ip4_ipsec_dfbit, 0, "");
152 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN,
153 ecn, CTLFLAG_RW, &ip4_ipsec_ecn, 0, "");
154 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG,
155 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
156 SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD,
157 esp_randpad, CTLFLAG_RW, &ip4_esp_randpad, 0, "");
160 struct ipsecstat ipsec6stat;
161 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
162 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
163 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
164 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
165 struct secpolicy ip6_def_policy;
166 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
167 int ip6_esp_randpad = -1;
169 /* net.inet6.ipsec6 */
170 SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
171 stats, CTLFLAG_RD, &ipsec6stat, ipsecstat, "");
172 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
173 def_policy, CTLFLAG_RW, &ip6_def_policy.policy, 0, "");
174 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
175 CTLFLAG_RW, &ip6_esp_trans_deflev, 0, "");
176 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
177 CTLFLAG_RW, &ip6_esp_net_deflev, 0, "");
178 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
179 CTLFLAG_RW, &ip6_ah_trans_deflev, 0, "");
180 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
181 CTLFLAG_RW, &ip6_ah_net_deflev, 0, "");
182 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
183 ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0, "");
184 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG,
185 debug, CTLFLAG_RW, &ipsec_debug, 0, "");
186 SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
187 esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, "");
190 static int ipsec_setspidx_mbuf
191 __P((struct secpolicyindex *, u_int, u_int, struct mbuf *, int));
192 static int ipsec4_setspidx_inpcb __P((struct mbuf *, struct inpcb *pcb));
194 static int ipsec6_setspidx_in6pcb __P((struct mbuf *, struct in6pcb *pcb));
196 static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int));
197 static void ipsec4_get_ulp __P((struct mbuf *m, struct secpolicyindex *, int));
198 static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
200 static void ipsec6_get_ulp __P((struct mbuf *m, struct secpolicyindex *, int));
201 static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
203 static struct inpcbpolicy *ipsec_newpcbpolicy __P((void));
204 static void ipsec_delpcbpolicy __P((struct inpcbpolicy *));
205 static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *src));
206 static int ipsec_set_policy __P((struct secpolicy **pcb_sp,
207 int optname, caddr_t request, size_t len, int priv));
208 static int ipsec_get_policy __P((struct secpolicy *pcb_sp, struct mbuf **mp));
209 static void vshiftl __P((unsigned char *, int, int));
210 static int ipsec_in_reject __P((struct secpolicy *, struct mbuf *));
211 static size_t ipsec_hdrsiz __P((struct secpolicy *));
213 static struct mbuf *ipsec4_splithdr __P((struct mbuf *));
216 static struct mbuf *ipsec6_splithdr __P((struct mbuf *));
219 static int ipsec4_encapsulate __P((struct mbuf *, struct secasvar *));
222 static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *));
224 static struct mbuf *ipsec_addaux __P((struct mbuf *));
225 static struct mbuf *ipsec_findaux __P((struct mbuf *));
226 static void ipsec_optaux __P((struct mbuf *, struct mbuf *));
229 * For OUTBOUND packet having a socket. Searching SPD for packet,
230 * and return a pointer to SP.
231 * OUT: NULL: no apropreate SP found, the following value is set to error.
233 * EACCES : discard packet.
234 * ENOENT : ipsec_acquire() in progress, maybe.
235 * others : error occured.
236 * others: a pointer to SP
238 * NOTE: IPv6 mapped adddress concern is implemented here.
241 ipsec4_getpolicybysock(m, dir, so, error)
247 struct inpcbpolicy *pcbsp = NULL;
248 struct secpolicy *currsp = NULL; /* policy on socket */
249 struct secpolicy *kernsp = NULL; /* policy on kernel */
252 if (m == NULL || so == NULL || error == NULL)
253 panic("ipsec4_getpolicybysock: NULL pointer was passed.\n");
255 switch (so->so_proto->pr_domain->dom_family) {
257 /* set spidx in pcb */
258 *error = ipsec4_setspidx_inpcb(m, sotoinpcb(so));
262 /* set spidx in pcb */
263 *error = ipsec6_setspidx_in6pcb(m, sotoin6pcb(so));
267 panic("ipsec4_getpolicybysock: unsupported address family\n");
271 switch (so->so_proto->pr_domain->dom_family) {
273 pcbsp = sotoinpcb(so)->inp_sp;
277 pcbsp = sotoin6pcb(so)->in6p_sp;
284 panic("ipsec4_getpolicybysock: pcbsp is NULL.\n");
287 case IPSEC_DIR_INBOUND:
288 currsp = pcbsp->sp_in;
290 case IPSEC_DIR_OUTBOUND:
291 currsp = pcbsp->sp_out;
294 panic("ipsec4_getpolicybysock: illegal direction.\n");
299 panic("ipsec4_getpolicybysock: currsp is NULL.\n");
301 /* when privilieged socket */
303 switch (currsp->policy) {
304 case IPSEC_POLICY_BYPASS:
309 case IPSEC_POLICY_ENTRUST:
310 /* look for a policy in SPD */
311 kernsp = key_allocsp(&currsp->spidx, dir);
314 if (kernsp != NULL) {
315 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
316 printf("DP ipsec4_getpolicybysock called "
317 "to allocate SP:%p\n", kernsp));
323 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
324 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
326 "fixed system default policy: %d->%d\n",
327 ip4_def_policy.policy, IPSEC_POLICY_NONE));
328 ip4_def_policy.policy = IPSEC_POLICY_NONE;
330 ip4_def_policy.refcnt++;
332 return &ip4_def_policy;
334 case IPSEC_POLICY_IPSEC:
340 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
341 "Invalid policy for PCB %d\n", currsp->policy));
348 /* when non-privilieged socket */
349 /* look for a policy in SPD */
350 kernsp = key_allocsp(&currsp->spidx, dir);
353 if (kernsp != NULL) {
354 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
355 printf("DP ipsec4_getpolicybysock called "
356 "to allocate SP:%p\n", kernsp));
362 switch (currsp->policy) {
363 case IPSEC_POLICY_BYPASS:
364 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
365 "Illegal policy for non-priviliged defined %d\n",
370 case IPSEC_POLICY_ENTRUST:
371 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
372 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
374 "fixed system default policy: %d->%d\n",
375 ip4_def_policy.policy, IPSEC_POLICY_NONE));
376 ip4_def_policy.policy = IPSEC_POLICY_NONE;
378 ip4_def_policy.refcnt++;
380 return &ip4_def_policy;
382 case IPSEC_POLICY_IPSEC:
388 ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
389 "Invalid policy for PCB %d\n", currsp->policy));
397 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
398 * and return a pointer to SP.
399 * OUT: positive: a pointer to the entry for security policy leaf matched.
400 * NULL: no apropreate SP found, the following value is set to error.
402 * EACCES : discard packet.
403 * ENOENT : ipsec_acquire() in progress, maybe.
404 * others : error occured.
407 ipsec4_getpolicybyaddr(m, dir, flag, error)
413 struct secpolicy *sp = NULL;
416 if (m == NULL || error == NULL)
417 panic("ipsec4_getpolicybyaddr: NULL pointer was passed.\n");
420 struct secpolicyindex spidx;
422 bzero(&spidx, sizeof(spidx));
424 /* make a index to look for a policy */
425 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET, m,
426 (flag & IP_FORWARDING) ? 0 : 1);
431 sp = key_allocsp(&spidx, dir);
436 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
437 printf("DP ipsec4_getpolicybyaddr called "
438 "to allocate SP:%p\n", sp));
444 if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
445 && ip4_def_policy.policy != IPSEC_POLICY_NONE) {
446 ipseclog((LOG_INFO, "fixed system default policy:%d->%d\n",
447 ip4_def_policy.policy,
449 ip4_def_policy.policy = IPSEC_POLICY_NONE;
451 ip4_def_policy.refcnt++;
453 return &ip4_def_policy;
458 * For OUTBOUND packet having a socket. Searching SPD for packet,
459 * and return a pointer to SP.
460 * OUT: NULL: no apropreate SP found, the following value is set to error.
462 * EACCES : discard packet.
463 * ENOENT : ipsec_acquire() in progress, maybe.
464 * others : error occured.
465 * others: a pointer to SP
468 ipsec6_getpolicybysock(m, dir, so, error)
474 struct inpcbpolicy *pcbsp = NULL;
475 struct secpolicy *currsp = NULL; /* policy on socket */
476 struct secpolicy *kernsp = NULL; /* policy on kernel */
479 if (m == NULL || so == NULL || error == NULL)
480 panic("ipsec6_getpolicybysock: NULL pointer was passed.\n");
483 if (so->so_proto->pr_domain->dom_family != AF_INET6)
484 panic("ipsec6_getpolicybysock: socket domain != inet6\n");
487 /* set spidx in pcb */
488 ipsec6_setspidx_in6pcb(m, sotoin6pcb(so));
490 pcbsp = sotoin6pcb(so)->in6p_sp;
494 panic("ipsec6_getpolicybysock: pcbsp is NULL.\n");
497 case IPSEC_DIR_INBOUND:
498 currsp = pcbsp->sp_in;
500 case IPSEC_DIR_OUTBOUND:
501 currsp = pcbsp->sp_out;
504 panic("ipsec6_getpolicybysock: illegal direction.\n");
509 panic("ipsec6_getpolicybysock: currsp is NULL.\n");
511 /* when privilieged socket */
513 switch (currsp->policy) {
514 case IPSEC_POLICY_BYPASS:
519 case IPSEC_POLICY_ENTRUST:
520 /* look for a policy in SPD */
521 kernsp = key_allocsp(&currsp->spidx, dir);
524 if (kernsp != NULL) {
525 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
526 printf("DP ipsec6_getpolicybysock called "
527 "to allocate SP:%p\n", kernsp));
533 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
534 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
536 "fixed system default policy: %d->%d\n",
537 ip6_def_policy.policy, IPSEC_POLICY_NONE));
538 ip6_def_policy.policy = IPSEC_POLICY_NONE;
540 ip6_def_policy.refcnt++;
542 return &ip6_def_policy;
544 case IPSEC_POLICY_IPSEC:
550 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
551 "Invalid policy for PCB %d\n", currsp->policy));
558 /* when non-privilieged socket */
559 /* look for a policy in SPD */
560 kernsp = key_allocsp(&currsp->spidx, dir);
563 if (kernsp != NULL) {
564 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
565 printf("DP ipsec6_getpolicybysock called "
566 "to allocate SP:%p\n", kernsp));
572 switch (currsp->policy) {
573 case IPSEC_POLICY_BYPASS:
574 ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
575 "Illegal policy for non-priviliged defined %d\n",
580 case IPSEC_POLICY_ENTRUST:
581 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
582 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
584 "fixed system default policy: %d->%d\n",
585 ip6_def_policy.policy, IPSEC_POLICY_NONE));
586 ip6_def_policy.policy = IPSEC_POLICY_NONE;
588 ip6_def_policy.refcnt++;
590 return &ip6_def_policy;
592 case IPSEC_POLICY_IPSEC:
599 "ipsec6_policybysock: Invalid policy for PCB %d\n",
608 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
609 * and return a pointer to SP.
610 * `flag' means that packet is to be forwarded whether or not.
612 * OUT: positive: a pointer to the entry for security policy leaf matched.
613 * NULL: no apropreate SP found, the following value is set to error.
615 * EACCES : discard packet.
616 * ENOENT : ipsec_acquire() in progress, maybe.
617 * others : error occured.
619 #ifndef IP_FORWARDING
620 #define IP_FORWARDING 1
624 ipsec6_getpolicybyaddr(m, dir, flag, error)
630 struct secpolicy *sp = NULL;
633 if (m == NULL || error == NULL)
634 panic("ipsec6_getpolicybyaddr: NULL pointer was passed.\n");
637 struct secpolicyindex spidx;
639 bzero(&spidx, sizeof(spidx));
641 /* make a index to look for a policy */
642 *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET6, m,
643 (flag & IP_FORWARDING) ? 0 : 1);
648 sp = key_allocsp(&spidx, dir);
653 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
654 printf("DP ipsec6_getpolicybyaddr called "
655 "to allocate SP:%p\n", sp));
661 if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
662 && ip6_def_policy.policy != IPSEC_POLICY_NONE) {
663 ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n",
664 ip6_def_policy.policy, IPSEC_POLICY_NONE));
665 ip6_def_policy.policy = IPSEC_POLICY_NONE;
667 ip6_def_policy.refcnt++;
669 return &ip6_def_policy;
674 * set IP address into spidx from mbuf.
675 * When Forwarding packet and ICMP echo reply, this function is used.
677 * IN: get the followings from mbuf.
678 * protocol family, src, dst, next protocol
681 * other: failure, and set errno.
684 ipsec_setspidx_mbuf(spidx, dir, family, m, needport)
685 struct secpolicyindex *spidx;
693 if (spidx == NULL || m == NULL)
694 panic("ipsec_setspidx_mbuf: NULL pointer was passed.\n");
696 bzero(spidx, sizeof(*spidx));
698 error = ipsec_setspidx(m, spidx, needport);
707 bzero(spidx, sizeof(*spidx));
712 ipsec4_setspidx_inpcb(m, pcb)
716 struct secpolicyindex *spidx;
721 panic("ipsec4_setspidx_inpcb: no PCB found.\n");
722 if (pcb->inp_sp == NULL)
723 panic("ipsec4_setspidx_inpcb: no inp_sp found.\n");
724 if (pcb->inp_sp->sp_out == NULL || pcb->inp_sp->sp_in == NULL)
725 panic("ipsec4_setspidx_inpcb: no sp_in/out found.\n");
727 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx));
728 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx));
730 spidx = &pcb->inp_sp->sp_in->spidx;
731 error = ipsec_setspidx(m, spidx, 1);
734 spidx->dir = IPSEC_DIR_INBOUND;
736 spidx = &pcb->inp_sp->sp_out->spidx;
737 error = ipsec_setspidx(m, spidx, 1);
740 spidx->dir = IPSEC_DIR_OUTBOUND;
745 bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx));
746 bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx));
752 ipsec6_setspidx_in6pcb(m, pcb)
756 struct secpolicyindex *spidx;
761 panic("ipsec6_setspidx_in6pcb: no PCB found.\n");
762 if (pcb->in6p_sp == NULL)
763 panic("ipsec6_setspidx_in6pcb: no in6p_sp found.\n");
764 if (pcb->in6p_sp->sp_out == NULL || pcb->in6p_sp->sp_in == NULL)
765 panic("ipsec6_setspidx_in6pcb: no sp_in/out found.\n");
767 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
768 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
770 spidx = &pcb->in6p_sp->sp_in->spidx;
771 error = ipsec_setspidx(m, spidx, 1);
774 spidx->dir = IPSEC_DIR_INBOUND;
776 spidx = &pcb->in6p_sp->sp_out->spidx;
777 error = ipsec_setspidx(m, spidx, 1);
780 spidx->dir = IPSEC_DIR_OUTBOUND;
785 bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
786 bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
792 * configure security policy index (src/dst/proto/sport/dport)
793 * by looking at the content of mbuf.
794 * the caller is responsible for error recovery (like clearing up spidx).
797 ipsec_setspidx(m, spidx, needport)
799 struct secpolicyindex *spidx;
802 struct ip *ip = NULL;
810 panic("ipsec_setspidx: m == 0 passed.\n");
813 * validate m->m_pkthdr.len. we see incorrect length if we
814 * mistakenly call this function with inconsistent mbuf chain
815 * (like 4.4BSD tcp/udp processing). XXX should we panic here?
818 for (n = m; n; n = n->m_next)
820 if (m->m_pkthdr.len != len) {
821 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
822 printf("ipsec_setspidx: "
823 "total of m_len(%d) != pkthdr.len(%d), "
825 len, m->m_pkthdr.len));
829 if (m->m_pkthdr.len < sizeof(struct ip)) {
830 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
831 printf("ipsec_setspidx: "
832 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
837 if (m->m_len >= sizeof(*ip))
838 ip = mtod(m, struct ip *);
840 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
844 v = _IP_VHL_V(ip->ip_vhl);
850 error = ipsec4_setspidx_ipaddr(m, spidx);
853 ipsec4_get_ulp(m, spidx, needport);
857 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
858 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
859 printf("ipsec_setspidx: "
860 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
861 "ignored.\n", m->m_pkthdr.len));
864 error = ipsec6_setspidx_ipaddr(m, spidx);
867 ipsec6_get_ulp(m, spidx, needport);
871 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
872 printf("ipsec_setspidx: "
873 "unknown IP version %u, ignored.\n", v));
879 ipsec4_get_ulp(m, spidx, needport)
881 struct secpolicyindex *spidx;
893 panic("ipsec4_get_ulp: NULL pointer was passed.\n");
894 if (m->m_pkthdr.len < sizeof(ip))
895 panic("ipsec4_get_ulp: too short\n");
898 spidx->ul_proto = IPSEC_ULPROTO_ANY;
899 ((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY;
900 ((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY;
902 m_copydata(m, 0, sizeof(ip), (caddr_t)&ip);
903 /* ip_input() flips it into host endian XXX need more checking */
904 if (ip.ip_off & (IP_MF | IP_OFFMASK))
909 off = _IP_VHL_HL(ip->ip_vhl) << 2;
913 while (off < m->m_pkthdr.len) {
916 spidx->ul_proto = nxt;
919 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
921 m_copydata(m, off, sizeof(th), (caddr_t)&th);
922 ((struct sockaddr_in *)&spidx->src)->sin_port =
924 ((struct sockaddr_in *)&spidx->dst)->sin_port =
928 spidx->ul_proto = nxt;
931 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
933 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
934 ((struct sockaddr_in *)&spidx->src)->sin_port =
936 ((struct sockaddr_in *)&spidx->dst)->sin_port =
940 if (m->m_pkthdr.len > off + sizeof(ip6e))
942 m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
943 off += (ip6e.ip6e_len + 2) << 2;
948 /* XXX intermediate headers??? */
949 spidx->ul_proto = nxt;
955 /* assumes that m is sane */
957 ipsec4_setspidx_ipaddr(m, spidx)
959 struct secpolicyindex *spidx;
961 struct ip *ip = NULL;
963 struct sockaddr_in *sin;
965 if (m->m_len >= sizeof(*ip))
966 ip = mtod(m, struct ip *);
968 m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
972 sin = (struct sockaddr_in *)&spidx->src;
973 bzero(sin, sizeof(*sin));
974 sin->sin_family = AF_INET;
975 sin->sin_len = sizeof(struct sockaddr_in);
976 bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src));
977 spidx->prefs = sizeof(struct in_addr) << 3;
979 sin = (struct sockaddr_in *)&spidx->dst;
980 bzero(sin, sizeof(*sin));
981 sin->sin_family = AF_INET;
982 sin->sin_len = sizeof(struct sockaddr_in);
983 bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst));
984 spidx->prefd = sizeof(struct in_addr) << 3;
990 ipsec6_get_ulp(m, spidx, needport)
992 struct secpolicyindex *spidx;
1001 panic("ipsec6_get_ulp: NULL pointer was passed.\n");
1003 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1004 printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m));
1007 spidx->ul_proto = IPSEC_ULPROTO_ANY;
1008 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
1009 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
1012 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
1013 if (off < 0 || m->m_pkthdr.len < off)
1018 spidx->ul_proto = nxt;
1021 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
1023 m_copydata(m, off, sizeof(th), (caddr_t)&th);
1024 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
1025 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
1028 spidx->ul_proto = nxt;
1031 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1033 m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1034 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
1035 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
1037 case IPPROTO_ICMPV6:
1039 /* XXX intermediate headers??? */
1040 spidx->ul_proto = nxt;
1045 /* assumes that m is sane */
1047 ipsec6_setspidx_ipaddr(m, spidx)
1049 struct secpolicyindex *spidx;
1051 struct ip6_hdr *ip6 = NULL;
1052 struct ip6_hdr ip6buf;
1053 struct sockaddr_in6 *sin6;
1055 if (m->m_len >= sizeof(*ip6))
1056 ip6 = mtod(m, struct ip6_hdr *);
1058 m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
1062 sin6 = (struct sockaddr_in6 *)&spidx->src;
1063 bzero(sin6, sizeof(*sin6));
1064 sin6->sin6_family = AF_INET6;
1065 sin6->sin6_len = sizeof(struct sockaddr_in6);
1066 bcopy(&ip6->ip6_src, &sin6->sin6_addr, sizeof(ip6->ip6_src));
1067 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
1068 sin6->sin6_addr.s6_addr16[1] = 0;
1069 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
1071 spidx->prefs = sizeof(struct in6_addr) << 3;
1073 sin6 = (struct sockaddr_in6 *)&spidx->dst;
1074 bzero(sin6, sizeof(*sin6));
1075 sin6->sin6_family = AF_INET6;
1076 sin6->sin6_len = sizeof(struct sockaddr_in6);
1077 bcopy(&ip6->ip6_dst, &sin6->sin6_addr, sizeof(ip6->ip6_dst));
1078 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
1079 sin6->sin6_addr.s6_addr16[1] = 0;
1080 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
1082 spidx->prefd = sizeof(struct in6_addr) << 3;
1088 static struct inpcbpolicy *
1089 ipsec_newpcbpolicy()
1091 struct inpcbpolicy *p;
1093 p = (struct inpcbpolicy *)malloc(sizeof(*p), M_SECA, M_NOWAIT);
1098 ipsec_delpcbpolicy(p)
1099 struct inpcbpolicy *p;
1104 /* initialize policy in PCB */
1106 ipsec_init_policy(so, pcb_sp)
1108 struct inpcbpolicy **pcb_sp;
1110 struct inpcbpolicy *new;
1113 if (so == NULL || pcb_sp == NULL)
1114 panic("ipsec_init_policy: NULL pointer was passed.\n");
1116 new = ipsec_newpcbpolicy();
1118 ipseclog((LOG_DEBUG, "ipsec_init_policy: No more memory.\n"));
1121 bzero(new, sizeof(*new));
1123 if (so->so_cred != 0 && so->so_cred->cr_uid == 0)
1128 if ((new->sp_in = key_newsp()) == NULL) {
1129 ipsec_delpcbpolicy(new);
1132 new->sp_in->state = IPSEC_SPSTATE_ALIVE;
1133 new->sp_in->policy = IPSEC_POLICY_ENTRUST;
1135 if ((new->sp_out = key_newsp()) == NULL) {
1136 key_freesp(new->sp_in);
1137 ipsec_delpcbpolicy(new);
1140 new->sp_out->state = IPSEC_SPSTATE_ALIVE;
1141 new->sp_out->policy = IPSEC_POLICY_ENTRUST;
1148 /* copy old ipsec policy into new */
1150 ipsec_copy_policy(old, new)
1151 struct inpcbpolicy *old, *new;
1153 struct secpolicy *sp;
1155 sp = ipsec_deepcopy_policy(old->sp_in);
1157 key_freesp(new->sp_in);
1162 sp = ipsec_deepcopy_policy(old->sp_out);
1164 key_freesp(new->sp_out);
1169 new->priv = old->priv;
1174 /* deep-copy a policy in PCB */
1175 static struct secpolicy *
1176 ipsec_deepcopy_policy(src)
1177 struct secpolicy *src;
1179 struct ipsecrequest *newchain = NULL;
1180 struct ipsecrequest *p;
1181 struct ipsecrequest **q;
1182 struct ipsecrequest *r;
1183 struct secpolicy *dst;
1186 if (src == NULL || dst == NULL)
1190 * deep-copy IPsec request chain. This is required since struct
1191 * ipsecrequest is not reference counted.
1194 for (p = src->req; p; p = p->next) {
1195 *q = (struct ipsecrequest *)malloc(sizeof(struct ipsecrequest),
1199 bzero(*q, sizeof(**q));
1202 (*q)->saidx.proto = p->saidx.proto;
1203 (*q)->saidx.mode = p->saidx.mode;
1204 (*q)->level = p->level;
1205 (*q)->saidx.reqid = p->saidx.reqid;
1207 bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
1208 bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
1216 dst->req = newchain;
1217 dst->state = src->state;
1218 dst->policy = src->policy;
1219 /* do not touch the refcnt fields */
1224 for (p = newchain; p; p = r) {
1232 /* set policy and ipsec request if present. */
1234 ipsec_set_policy(pcb_sp, optname, request, len, priv)
1235 struct secpolicy **pcb_sp;
1241 struct sadb_x_policy *xpl;
1242 struct secpolicy *newsp = NULL;
1246 if (pcb_sp == NULL || *pcb_sp == NULL || request == NULL)
1248 if (len < sizeof(*xpl))
1250 xpl = (struct sadb_x_policy *)request;
1252 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1253 printf("ipsec_set_policy: passed policy\n");
1254 kdebug_sadb_x_policy((struct sadb_ext *)xpl));
1256 /* check policy type */
1257 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1258 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD
1259 || xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
1262 /* check privileged socket */
1263 if (priv == 0 && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS)
1266 /* allocation new SP entry */
1267 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
1270 newsp->state = IPSEC_SPSTATE_ALIVE;
1272 /* clear old SP and set new SP */
1273 key_freesp(*pcb_sp);
1275 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1276 printf("ipsec_set_policy: new policy\n");
1277 kdebug_secpolicy(newsp));
1283 ipsec_get_policy(pcb_sp, mp)
1284 struct secpolicy *pcb_sp;
1289 if (pcb_sp == NULL || mp == NULL)
1292 *mp = key_sp2msg(pcb_sp);
1294 ipseclog((LOG_DEBUG, "ipsec_get_policy: No more memory.\n"));
1298 (*mp)->m_type = MT_DATA;
1299 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1300 printf("ipsec_get_policy:\n");
1307 ipsec4_set_policy(inp, optname, request, len, priv)
1314 struct sadb_x_policy *xpl;
1315 struct secpolicy **pcb_sp;
1318 if (inp == NULL || request == NULL)
1320 if (len < sizeof(*xpl))
1322 xpl = (struct sadb_x_policy *)request;
1324 /* select direction */
1325 switch (xpl->sadb_x_policy_dir) {
1326 case IPSEC_DIR_INBOUND:
1327 pcb_sp = &inp->inp_sp->sp_in;
1329 case IPSEC_DIR_OUTBOUND:
1330 pcb_sp = &inp->inp_sp->sp_out;
1333 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1334 xpl->sadb_x_policy_dir));
1338 return ipsec_set_policy(pcb_sp, optname, request, len, priv);
1342 ipsec4_get_policy(inp, request, len, mp)
1348 struct sadb_x_policy *xpl;
1349 struct secpolicy *pcb_sp;
1352 if (inp == NULL || request == NULL || mp == NULL)
1354 if (inp->inp_sp == NULL)
1355 panic("policy in PCB is NULL\n");
1356 if (len < sizeof(*xpl))
1358 xpl = (struct sadb_x_policy *)request;
1360 /* select direction */
1361 switch (xpl->sadb_x_policy_dir) {
1362 case IPSEC_DIR_INBOUND:
1363 pcb_sp = inp->inp_sp->sp_in;
1365 case IPSEC_DIR_OUTBOUND:
1366 pcb_sp = inp->inp_sp->sp_out;
1369 ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1370 xpl->sadb_x_policy_dir));
1374 return ipsec_get_policy(pcb_sp, mp);
1377 /* delete policy in PCB */
1379 ipsec4_delete_pcbpolicy(inp)
1384 panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.\n");
1386 if (inp->inp_sp == NULL)
1389 if (inp->inp_sp->sp_in != NULL) {
1390 key_freesp(inp->inp_sp->sp_in);
1391 inp->inp_sp->sp_in = NULL;
1394 if (inp->inp_sp->sp_out != NULL) {
1395 key_freesp(inp->inp_sp->sp_out);
1396 inp->inp_sp->sp_out = NULL;
1399 ipsec_delpcbpolicy(inp->inp_sp);
1407 ipsec6_set_policy(in6p, optname, request, len, priv)
1408 struct in6pcb *in6p;
1414 struct sadb_x_policy *xpl;
1415 struct secpolicy **pcb_sp;
1418 if (in6p == NULL || request == NULL)
1420 if (len < sizeof(*xpl))
1422 xpl = (struct sadb_x_policy *)request;
1424 /* select direction */
1425 switch (xpl->sadb_x_policy_dir) {
1426 case IPSEC_DIR_INBOUND:
1427 pcb_sp = &in6p->in6p_sp->sp_in;
1429 case IPSEC_DIR_OUTBOUND:
1430 pcb_sp = &in6p->in6p_sp->sp_out;
1433 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1434 xpl->sadb_x_policy_dir));
1438 return ipsec_set_policy(pcb_sp, optname, request, len, priv);
1442 ipsec6_get_policy(in6p, request, len, mp)
1443 struct in6pcb *in6p;
1448 struct sadb_x_policy *xpl;
1449 struct secpolicy *pcb_sp;
1452 if (in6p == NULL || request == NULL || mp == NULL)
1454 if (in6p->in6p_sp == NULL)
1455 panic("policy in PCB is NULL\n");
1456 if (len < sizeof(*xpl))
1458 xpl = (struct sadb_x_policy *)request;
1460 /* select direction */
1461 switch (xpl->sadb_x_policy_dir) {
1462 case IPSEC_DIR_INBOUND:
1463 pcb_sp = in6p->in6p_sp->sp_in;
1465 case IPSEC_DIR_OUTBOUND:
1466 pcb_sp = in6p->in6p_sp->sp_out;
1469 ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1470 xpl->sadb_x_policy_dir));
1474 return ipsec_get_policy(pcb_sp, mp);
1478 ipsec6_delete_pcbpolicy(in6p)
1479 struct in6pcb *in6p;
1483 panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.\n");
1485 if (in6p->in6p_sp == NULL)
1488 if (in6p->in6p_sp->sp_in != NULL) {
1489 key_freesp(in6p->in6p_sp->sp_in);
1490 in6p->in6p_sp->sp_in = NULL;
1493 if (in6p->in6p_sp->sp_out != NULL) {
1494 key_freesp(in6p->in6p_sp->sp_out);
1495 in6p->in6p_sp->sp_out = NULL;
1498 ipsec_delpcbpolicy(in6p->in6p_sp);
1499 in6p->in6p_sp = NULL;
1506 * return current level.
1507 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1510 ipsec_get_reqlevel(isr)
1511 struct ipsecrequest *isr;
1514 u_int esp_trans_deflev, esp_net_deflev, ah_trans_deflev, ah_net_deflev;
1517 if (isr == NULL || isr->sp == NULL)
1518 panic("ipsec_get_reqlevel: NULL pointer is passed.\n");
1519 if (((struct sockaddr *)&isr->sp->spidx.src)->sa_family
1520 != ((struct sockaddr *)&isr->sp->spidx.dst)->sa_family)
1521 panic("ipsec_get_reqlevel: family mismatched.\n");
1523 /* XXX note that we have ipseclog() expanded here - code sync issue */
1524 #define IPSEC_CHECK_DEFAULT(lev) \
1525 (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \
1526 && (lev) != IPSEC_LEVEL_UNIQUE) \
1528 ? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\
1529 (lev), IPSEC_LEVEL_REQUIRE) \
1531 (lev) = IPSEC_LEVEL_REQUIRE, \
1535 /* set default level */
1536 switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) {
1539 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev);
1540 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev);
1541 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev);
1542 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev);
1547 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev);
1548 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev);
1549 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev);
1550 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev);
1554 panic("key_get_reqlevel: Unknown family. %d\n",
1555 ((struct sockaddr *)&isr->sp->spidx.src)->sa_family);
1558 #undef IPSEC_CHECK_DEFAULT
1561 switch (isr->level) {
1562 case IPSEC_LEVEL_DEFAULT:
1563 switch (isr->saidx.proto) {
1565 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1566 level = esp_net_deflev;
1568 level = esp_trans_deflev;
1571 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1572 level = ah_net_deflev;
1574 level = ah_trans_deflev;
1575 case IPPROTO_IPCOMP:
1577 * we don't really care, as IPcomp document says that
1578 * we shouldn't compress small packets
1580 level = IPSEC_LEVEL_USE;
1583 panic("ipsec_get_reqlevel: "
1584 "Illegal protocol defined %u\n",
1589 case IPSEC_LEVEL_USE:
1590 case IPSEC_LEVEL_REQUIRE:
1593 case IPSEC_LEVEL_UNIQUE:
1594 level = IPSEC_LEVEL_REQUIRE;
1598 panic("ipsec_get_reqlevel: Illegal IPsec level %u\n",
1606 * Check AH/ESP integrity.
1612 ipsec_in_reject(sp, m)
1613 struct secpolicy *sp;
1616 struct ipsecrequest *isr;
1618 int need_auth, need_conf, need_icv;
1620 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1621 printf("ipsec_in_reject: using SP\n");
1622 kdebug_secpolicy(sp));
1625 switch (sp->policy) {
1626 case IPSEC_POLICY_DISCARD:
1628 case IPSEC_POLICY_BYPASS:
1629 case IPSEC_POLICY_NONE:
1632 case IPSEC_POLICY_IPSEC:
1635 case IPSEC_POLICY_ENTRUST:
1637 panic("ipsec_hdrsiz: Invalid policy found. %d\n", sp->policy);
1644 /* XXX should compare policy against ipsec header history */
1646 for (isr = sp->req; isr != NULL; isr = isr->next) {
1648 /* get current level */
1649 level = ipsec_get_reqlevel(isr);
1651 switch (isr->saidx.proto) {
1653 if (level == IPSEC_LEVEL_REQUIRE) {
1656 if (isr->sav != NULL
1657 && isr->sav->flags == SADB_X_EXT_NONE
1658 && isr->sav->alg_auth != SADB_AALG_NONE)
1663 if (level == IPSEC_LEVEL_REQUIRE) {
1668 case IPPROTO_IPCOMP:
1670 * we don't really care, as IPcomp document says that
1671 * we shouldn't compress small packets, IPComp policy
1672 * should always be treated as being in "use" level.
1678 KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1679 printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
1680 need_auth, need_conf, need_icv, m->m_flags));
1682 if ((need_conf && !(m->m_flags & M_DECRYPTED))
1683 || (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM))
1684 || (need_auth && !(m->m_flags & M_AUTHIPHDR)))
1691 * Check AH/ESP integrity.
1692 * This function is called from tcp_input(), udp_input(),
1693 * and {ah,esp}4_input for tunnel mode
1696 ipsec4_in_reject_so(m, so)
1700 struct secpolicy *sp = NULL;
1706 return 0; /* XXX should be panic ? */
1708 /* get SP for this packet.
1709 * When we are called from ip_forward(), we call
1710 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1713 sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1715 sp = ipsec4_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1718 return 0; /* XXX should be panic ?
1719 * -> No, there may be error. */
1721 result = ipsec_in_reject(sp, m);
1722 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1723 printf("DP ipsec4_in_reject_so call free SP:%p\n", sp));
1730 ipsec4_in_reject(m, inp)
1735 return ipsec4_in_reject_so(m, NULL);
1736 if (inp->inp_socket)
1737 return ipsec4_in_reject_so(m, inp->inp_socket);
1739 panic("ipsec4_in_reject: invalid inpcb/socket");
1744 * Check AH/ESP integrity.
1745 * This function is called from tcp6_input(), udp6_input(),
1746 * and {ah,esp}6_input for tunnel mode
1749 ipsec6_in_reject_so(m, so)
1753 struct secpolicy *sp = NULL;
1759 return 0; /* XXX should be panic ? */
1761 /* get SP for this packet.
1762 * When we are called from ip_forward(), we call
1763 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
1766 sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1768 sp = ipsec6_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
1771 return 0; /* XXX should be panic ? */
1773 result = ipsec_in_reject(sp, m);
1774 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1775 printf("DP ipsec6_in_reject_so call free SP:%p\n", sp));
1782 ipsec6_in_reject(m, in6p)
1784 struct in6pcb *in6p;
1787 return ipsec6_in_reject_so(m, NULL);
1788 if (in6p->in6p_socket)
1789 return ipsec6_in_reject_so(m, in6p->in6p_socket);
1791 panic("ipsec6_in_reject: invalid in6p/socket");
1796 * compute the byte size to be occupied by IPsec header.
1797 * in case it is tunneled, it includes the size of outer IP header.
1798 * NOTE: SP passed is free in this function.
1802 struct secpolicy *sp;
1804 struct ipsecrequest *isr;
1807 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1808 printf("ipsec_hdrsiz: using SP\n");
1809 kdebug_secpolicy(sp));
1812 switch (sp->policy) {
1813 case IPSEC_POLICY_DISCARD:
1814 case IPSEC_POLICY_BYPASS:
1815 case IPSEC_POLICY_NONE:
1818 case IPSEC_POLICY_IPSEC:
1821 case IPSEC_POLICY_ENTRUST:
1823 panic("ipsec_hdrsiz: Invalid policy found. %d\n", sp->policy);
1828 for (isr = sp->req; isr != NULL; isr = isr->next) {
1832 switch (isr->saidx.proto) {
1835 clen = esp_hdrsiz(isr);
1841 clen = ah_hdrsiz(isr);
1843 case IPPROTO_IPCOMP:
1844 clen = sizeof(struct ipcomp);
1848 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
1849 switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) {
1851 clen += sizeof(struct ip);
1855 clen += sizeof(struct ip6_hdr);
1859 ipseclog((LOG_ERR, "ipsec_hdrsiz: "
1860 "unknown AF %d in IPsec tunnel SA\n",
1861 ((struct sockaddr *)&isr->saidx.dst)->sa_family));
1871 /* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
1873 ipsec4_hdrsiz(m, dir, inp)
1878 struct secpolicy *sp = NULL;
1884 return 0; /* XXX should be panic ? */
1885 if (inp != NULL && inp->inp_socket == NULL)
1886 panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
1888 /* get SP for this packet.
1889 * When we are called from ip_forward(), we call
1890 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1893 sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1895 sp = ipsec4_getpolicybysock(m, dir, inp->inp_socket, &error);
1898 return 0; /* XXX should be panic ? */
1900 size = ipsec_hdrsiz(sp);
1901 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1902 printf("DP ipsec4_hdrsiz call free SP:%p\n", sp));
1903 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1904 printf("ipsec4_hdrsiz: size:%lu.\n", (unsigned long)size));
1911 /* This function is called from ipsec6_hdrsize_tcp(),
1912 * and maybe from ip6_forward.()
1915 ipsec6_hdrsiz(m, dir, in6p)
1918 struct in6pcb *in6p;
1920 struct secpolicy *sp = NULL;
1926 return 0; /* XXX shoud be panic ? */
1927 if (in6p != NULL && in6p->in6p_socket == NULL)
1928 panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
1930 /* get SP for this packet */
1931 /* XXX Is it right to call with IP_FORWARDING. */
1933 sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1935 sp = ipsec6_getpolicybysock(m, dir, in6p->in6p_socket, &error);
1939 size = ipsec_hdrsiz(sp);
1940 KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1941 printf("DP ipsec6_hdrsiz call free SP:%p\n", sp));
1942 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1943 printf("ipsec6_hdrsiz: size:%lu.\n", (unsigned long)size));
1952 * encapsulate for ipsec tunnel.
1953 * ip->ip_src must be fixed later on.
1956 ipsec4_encapsulate(m, sav)
1958 struct secasvar *sav;
1965 /* can't tunnel between different AFs */
1966 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
1967 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
1968 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
1973 /* XXX if the dst is myself, perform nothing. */
1974 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
1980 if (m->m_len < sizeof(*ip))
1981 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
1983 ip = mtod(m, struct ip *);
1985 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
1987 hlen = ip->ip_hl << 2;
1990 if (m->m_len != hlen)
1991 panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
1993 /* generate header checksum */
1996 if (ip->ip_vhl == IP_VHL_BORING)
1997 ip->ip_sum = in_cksum_hdr(ip);
1999 ip->ip_sum = in_cksum(m, hlen);
2001 ip->ip_sum = in_cksum(m, hlen);
2004 plen = m->m_pkthdr.len;
2007 * grow the mbuf to accomodate the new IPv4 header.
2008 * NOTE: IPv4 options will never be copied.
2010 if (M_LEADINGSPACE(m->m_next) < hlen) {
2012 MGET(n, M_DONTWAIT, MT_DATA);
2018 n->m_next = m->m_next;
2020 m->m_pkthdr.len += hlen;
2021 oip = mtod(n, struct ip *);
2023 m->m_next->m_len += hlen;
2024 m->m_next->m_data -= hlen;
2025 m->m_pkthdr.len += hlen;
2026 oip = mtod(m->m_next, struct ip *);
2028 ip = mtod(m, struct ip *);
2029 ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
2030 m->m_len = sizeof(struct ip);
2031 m->m_pkthdr.len -= (hlen - sizeof(struct ip));
2033 /* construct new IPv4 header. see RFC 2401 5.1.2.1 */
2034 /* ECN consideration. */
2035 ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
2037 ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> 2);
2039 ip->ip_hl = sizeof(struct ip) >> 2;
2041 ip->ip_off &= htons(~IP_OFFMASK);
2042 ip->ip_off &= htons(~IP_MF);
2043 switch (ip4_ipsec_dfbit) {
2044 case 0: /* clear DF bit */
2045 ip->ip_off &= htons(~IP_DF);
2047 case 1: /* set DF bit */
2048 ip->ip_off |= htons(IP_DF);
2050 default: /* copy DF bit */
2053 ip->ip_p = IPPROTO_IPIP;
2054 if (plen + sizeof(struct ip) < IP_MAXPACKET)
2055 ip->ip_len = htons(plen + sizeof(struct ip));
2057 ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
2058 "leave ip_len as is (invalid packet)\n"));
2061 ip->ip_id = ip_randomid();
2063 ip->ip_id = htons(ip_id++);
2065 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
2066 &ip->ip_src, sizeof(ip->ip_src));
2067 bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
2068 &ip->ip_dst, sizeof(ip->ip_dst));
2069 ip->ip_ttl = IPDEFTTL;
2071 /* XXX Should ip_src be updated later ? */
2079 ipsec6_encapsulate(m, sav)
2081 struct secasvar *sav;
2083 struct ip6_hdr *oip6;
2084 struct ip6_hdr *ip6;
2087 /* can't tunnel between different AFs */
2088 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2089 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2090 || ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2095 /* XXX if the dst is myself, perform nothing. */
2096 if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2102 plen = m->m_pkthdr.len;
2105 * grow the mbuf to accomodate the new IPv6 header.
2107 if (m->m_len != sizeof(struct ip6_hdr))
2108 panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2109 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
2111 MGET(n, M_DONTWAIT, MT_DATA);
2116 n->m_len = sizeof(struct ip6_hdr);
2117 n->m_next = m->m_next;
2119 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2120 oip6 = mtod(n, struct ip6_hdr *);
2122 m->m_next->m_len += sizeof(struct ip6_hdr);
2123 m->m_next->m_data -= sizeof(struct ip6_hdr);
2124 m->m_pkthdr.len += sizeof(struct ip6_hdr);
2125 oip6 = mtod(m->m_next, struct ip6_hdr *);
2127 ip6 = mtod(m, struct ip6_hdr *);
2128 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
2130 /* Fake link-local scope-class addresses */
2131 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_src))
2132 oip6->ip6_src.s6_addr16[1] = 0;
2133 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_dst))
2134 oip6->ip6_dst.s6_addr16[1] = 0;
2136 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
2137 /* ECN consideration. */
2138 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
2139 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
2140 ip6->ip6_plen = htons(plen);
2142 /* ip6->ip6_plen will be updated in ip6_output() */
2144 ip6->ip6_nxt = IPPROTO_IPV6;
2145 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr,
2146 &ip6->ip6_src, sizeof(ip6->ip6_src));
2147 bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr,
2148 &ip6->ip6_dst, sizeof(ip6->ip6_dst));
2149 ip6->ip6_hlim = IPV6_DEFHLIM;
2151 /* XXX Should ip6_src be updated later ? */
2158 * Check the variable replay window.
2159 * ipsec_chkreplay() performs replay check before ICV verification.
2160 * ipsec_updatereplay() updates replay bitmap. This must be called after
2161 * ICV verification (it also performs replay check, which is usually done
2163 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
2165 * based on RFC 2401.
2168 ipsec_chkreplay(seq, sav)
2170 struct secasvar *sav;
2172 const struct secreplay *replay;
2175 u_int32_t wsizeb; /* constant: bits of window size */
2176 int frlast; /* constant: last frame */
2180 panic("ipsec_chkreplay: NULL pointer was passed.\n");
2182 replay = sav->replay;
2184 if (replay->wsize == 0)
2185 return 1; /* no need to check replay. */
2188 frlast = replay->wsize - 1;
2189 wsizeb = replay->wsize << 3;
2191 /* sequence number of 0 is invalid */
2195 /* first time is always okay */
2196 if (replay->count == 0)
2199 if (seq > replay->lastseq) {
2200 /* larger sequences are okay */
2203 /* seq is equal or less than lastseq. */
2204 diff = replay->lastseq - seq;
2206 /* over range to check, i.e. too old or wrapped */
2210 fr = frlast - diff / 8;
2212 /* this packet already seen ? */
2213 if ((replay->bitmap)[fr] & (1 << (diff % 8)))
2216 /* out of order but good */
2222 * check replay counter whether to update or not.
2227 ipsec_updatereplay(seq, sav)
2229 struct secasvar *sav;
2231 struct secreplay *replay;
2234 u_int32_t wsizeb; /* constant: bits of window size */
2235 int frlast; /* constant: last frame */
2239 panic("ipsec_chkreplay: NULL pointer was passed.\n");
2241 replay = sav->replay;
2243 if (replay->wsize == 0)
2244 goto ok; /* no need to check replay. */
2247 frlast = replay->wsize - 1;
2248 wsizeb = replay->wsize << 3;
2250 /* sequence number of 0 is invalid */
2255 if (replay->count == 0) {
2256 replay->lastseq = seq;
2257 bzero(replay->bitmap, replay->wsize);
2258 (replay->bitmap)[frlast] = 1;
2262 if (seq > replay->lastseq) {
2263 /* seq is larger than lastseq. */
2264 diff = seq - replay->lastseq;
2266 /* new larger sequence number */
2267 if (diff < wsizeb) {
2269 /* set bit for this packet */
2270 vshiftl(replay->bitmap, diff, replay->wsize);
2271 (replay->bitmap)[frlast] |= 1;
2273 /* this packet has a "way larger" */
2274 bzero(replay->bitmap, replay->wsize);
2275 (replay->bitmap)[frlast] = 1;
2277 replay->lastseq = seq;
2279 /* larger is good */
2281 /* seq is equal or less than lastseq. */
2282 diff = replay->lastseq - seq;
2284 /* over range to check, i.e. too old or wrapped */
2288 fr = frlast - diff / 8;
2290 /* this packet already seen ? */
2291 if ((replay->bitmap)[fr] & (1 << (diff % 8)))
2295 (replay->bitmap)[fr] |= (1 << (diff % 8));
2297 /* out of order but good */
2301 if (replay->count == ~0) {
2303 /* set overflow flag */
2306 /* don't increment, no more packets accepted */
2307 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
2310 ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
2311 replay->overflow, ipsec_logsastr(sav)));
2320 * shift variable length buffer to left.
2321 * IN: bitmap: pointer to the buffer
2322 * nbit: the number of to shift.
2323 * wsize: buffer size (bytes).
2326 vshiftl(bitmap, nbit, wsize)
2327 unsigned char *bitmap;
2333 for (j = 0; j < nbit; j += 8) {
2334 s = (nbit - j < 8) ? (nbit - j): 8;
2336 for (i = 1; i < wsize; i++) {
2337 over = (bitmap[i] >> (8 - s));
2339 bitmap[i-1] |= over;
2347 ipsec4_logpacketstr(ip, spi)
2351 static char buf[256];
2355 s = (u_int8_t *)(&ip->ip_src);
2356 d = (u_int8_t *)(&ip->ip_dst);
2359 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2362 snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u",
2363 s[0], s[1], s[2], s[3]);
2366 snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u",
2367 d[0], d[1], d[2], d[3]);
2370 snprintf(p, sizeof(buf) - (p - buf), ")");
2377 ipsec6_logpacketstr(ip6, spi)
2378 struct ip6_hdr *ip6;
2381 static char buf[256];
2385 snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2388 snprintf(p, sizeof(buf) - (p - buf), "src=%s",
2389 ip6_sprintf(&ip6->ip6_src));
2392 snprintf(p, sizeof(buf) - (p - buf), " dst=%s",
2393 ip6_sprintf(&ip6->ip6_dst));
2396 snprintf(p, sizeof(buf) - (p - buf), ")");
2404 struct secasvar *sav;
2406 static char buf[256];
2408 struct secasindex *saidx = &sav->sah->saidx;
2410 /* validity check */
2411 if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2412 != ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family)
2413 panic("ipsec_logsastr: family mismatched.\n");
2416 snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
2419 if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) {
2421 s = (u_int8_t *)&((struct sockaddr_in *)&saidx->src)->sin_addr;
2422 d = (u_int8_t *)&((struct sockaddr_in *)&saidx->dst)->sin_addr;
2423 snprintf(p, sizeof(buf) - (p - buf),
2424 "src=%d.%d.%d.%d dst=%d.%d.%d.%d",
2425 s[0], s[1], s[2], s[3], d[0], d[1], d[2], d[3]);
2428 else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) {
2429 snprintf(p, sizeof(buf) - (p - buf),
2431 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr));
2434 snprintf(p, sizeof(buf) - (p - buf),
2436 ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr));
2441 snprintf(p, sizeof(buf) - (p - buf), ")");
2457 p = mtod(m, u_char *);
2458 for (i = 0; i < m->m_len; i++) {
2459 printf("%02x ", p[i]);
2461 if (totlen % 16 == 0)
2466 if (totlen % 16 != 0)
2473 * IPsec output logic for IPv4.
2476 ipsec4_output(state, sp, flags)
2477 struct ipsec_output_state *state;
2478 struct secpolicy *sp;
2481 struct ip *ip = NULL;
2482 struct ipsecrequest *isr = NULL;
2483 struct secasindex saidx;
2486 struct sockaddr_in *dst4;
2487 struct sockaddr_in *sin;
2490 panic("state == NULL in ipsec4_output");
2492 panic("state->m == NULL in ipsec4_output");
2494 panic("state->ro == NULL in ipsec4_output");
2496 panic("state->dst == NULL in ipsec4_output");
2498 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2499 printf("ipsec4_output: applyed SP\n");
2500 kdebug_secpolicy(sp));
2502 for (isr = sp->req; isr != NULL; isr = isr->next) {
2504 #if 0 /* give up to check restriction of transport mode */
2505 /* XXX but should be checked somewhere */
2507 * some of the IPsec operation must be performed only in
2510 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT
2511 && (flags & IP_FORWARDING))
2515 /* make SA index for search proper SA */
2516 ip = mtod(state->m, struct ip *);
2517 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2518 saidx.mode = isr->saidx.mode;
2519 saidx.reqid = isr->saidx.reqid;
2520 sin = (struct sockaddr_in *)&saidx.src;
2521 if (sin->sin_len == 0) {
2522 sin->sin_len = sizeof(*sin);
2523 sin->sin_family = AF_INET;
2524 sin->sin_port = IPSEC_PORT_ANY;
2525 bcopy(&ip->ip_src, &sin->sin_addr,
2526 sizeof(sin->sin_addr));
2528 sin = (struct sockaddr_in *)&saidx.dst;
2529 if (sin->sin_len == 0) {
2530 sin->sin_len = sizeof(*sin);
2531 sin->sin_family = AF_INET;
2532 sin->sin_port = IPSEC_PORT_ANY;
2533 bcopy(&ip->ip_dst, &sin->sin_addr,
2534 sizeof(sin->sin_addr));
2537 if ((error = key_checkrequest(isr, &saidx)) != 0) {
2539 * IPsec processing is required, but no SA found.
2540 * I assume that key_acquire() had been called
2541 * to get/establish the SA. Here I discard
2542 * this packet because it is responsibility for
2543 * upper layer to retransmit the packet.
2545 ipsecstat.out_nosa++;
2549 /* validity check */
2550 if (isr->sav == NULL) {
2551 switch (ipsec_get_reqlevel(isr)) {
2552 case IPSEC_LEVEL_USE:
2554 case IPSEC_LEVEL_REQUIRE:
2555 /* must be not reached here. */
2556 panic("ipsec4_output: no SA found, but required.");
2561 * If there is no valid SA, we give up to process any
2562 * more. In such a case, the SA's status is changed
2563 * from DYING to DEAD after allocating. If a packet
2564 * send to the receiver by dead SA, the receiver can
2565 * not decode a packet because SA has been dead.
2567 if (isr->sav->state != SADB_SASTATE_MATURE
2568 && isr->sav->state != SADB_SASTATE_DYING) {
2569 ipsecstat.out_nosa++;
2575 * There may be the case that SA status will be changed when
2576 * we are refering to one. So calling splsoftnet().
2580 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2582 * build IPsec tunnel.
2584 /* XXX should be processed with other familiy */
2585 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET) {
2586 ipseclog((LOG_ERR, "ipsec4_output: "
2587 "family mismatched between inner and outer spi=%u\n",
2588 (u_int32_t)ntohl(isr->sav->spi)));
2590 error = EAFNOSUPPORT;
2594 state->m = ipsec4_splithdr(state->m);
2600 error = ipsec4_encapsulate(state->m, isr->sav);
2606 ip = mtod(state->m, struct ip *);
2608 state->ro = &isr->sav->sah->sa_route;
2609 state->dst = (struct sockaddr *)&state->ro->ro_dst;
2610 dst4 = (struct sockaddr_in *)state->dst;
2611 if (state->ro->ro_rt
2612 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
2613 || dst4->sin_addr.s_addr != ip->ip_dst.s_addr)) {
2614 RTFREE(state->ro->ro_rt);
2615 state->ro->ro_rt = NULL;
2617 if (state->ro->ro_rt == 0) {
2618 dst4->sin_family = AF_INET;
2619 dst4->sin_len = sizeof(*dst4);
2620 dst4->sin_addr = ip->ip_dst;
2623 if (state->ro->ro_rt == 0) {
2624 ipstat.ips_noroute++;
2625 error = EHOSTUNREACH;
2629 /* adjust state->dst if tunnel endpoint is offlink */
2630 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
2631 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
2632 dst4 = (struct sockaddr_in *)state->dst;
2637 state->m = ipsec4_splithdr(state->m);
2642 switch (isr->saidx.proto) {
2645 if ((error = esp4_output(state->m, isr)) != 0) {
2657 if ((error = ah4_output(state->m, isr)) != 0) {
2662 case IPPROTO_IPCOMP:
2663 if ((error = ipcomp4_output(state->m, isr)) != 0) {
2670 "ipsec4_output: unknown ipsec protocol %d\n",
2678 if (state->m == 0) {
2682 ip = mtod(state->m, struct ip *);
2696 * IPsec output logic for IPv6, transport mode.
2699 ipsec6_output_trans(state, nexthdrp, mprev, sp, flags, tun)
2700 struct ipsec_output_state *state;
2703 struct secpolicy *sp;
2707 struct ip6_hdr *ip6;
2708 struct ipsecrequest *isr = NULL;
2709 struct secasindex saidx;
2712 struct sockaddr_in6 *sin6;
2715 panic("state == NULL in ipsec6_output_trans");
2717 panic("state->m == NULL in ipsec6_output_trans");
2719 panic("nexthdrp == NULL in ipsec6_output_trans");
2721 panic("mprev == NULL in ipsec6_output_trans");
2723 panic("sp == NULL in ipsec6_output_trans");
2725 panic("tun == NULL in ipsec6_output_trans");
2727 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2728 printf("ipsec6_output_trans: applyed SP\n");
2729 kdebug_secpolicy(sp));
2732 for (isr = sp->req; isr; isr = isr->next) {
2733 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2734 /* the rest will be handled by ipsec6_output_tunnel() */
2738 /* make SA index for search proper SA */
2739 ip6 = mtod(state->m, struct ip6_hdr *);
2740 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2741 saidx.mode = isr->saidx.mode;
2742 saidx.reqid = isr->saidx.reqid;
2743 sin6 = (struct sockaddr_in6 *)&saidx.src;
2744 if (sin6->sin6_len == 0) {
2745 sin6->sin6_len = sizeof(*sin6);
2746 sin6->sin6_family = AF_INET6;
2747 sin6->sin6_port = IPSEC_PORT_ANY;
2748 bcopy(&ip6->ip6_src, &sin6->sin6_addr,
2749 sizeof(ip6->ip6_src));
2750 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
2751 /* fix scope id for comparing SPD */
2752 sin6->sin6_addr.s6_addr16[1] = 0;
2753 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
2756 sin6 = (struct sockaddr_in6 *)&saidx.dst;
2757 if (sin6->sin6_len == 0) {
2758 sin6->sin6_len = sizeof(*sin6);
2759 sin6->sin6_family = AF_INET6;
2760 sin6->sin6_port = IPSEC_PORT_ANY;
2761 bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
2762 sizeof(ip6->ip6_dst));
2763 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
2764 /* fix scope id for comparing SPD */
2765 sin6->sin6_addr.s6_addr16[1] = 0;
2766 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
2770 if (key_checkrequest(isr, &saidx) == ENOENT) {
2772 * IPsec processing is required, but no SA found.
2773 * I assume that key_acquire() had been called
2774 * to get/establish the SA. Here I discard
2775 * this packet because it is responsibility for
2776 * upper layer to retransmit the packet.
2778 ipsec6stat.out_nosa++;
2782 * Notify the fact that the packet is discarded
2783 * to ourselves. I believe this is better than
2784 * just silently discarding. (jinmei@kame.net)
2785 * XXX: should we restrict the error to TCP packets?
2786 * XXX: should we directly notify sockets via
2789 icmp6_error(state->m, ICMP6_DST_UNREACH,
2790 ICMP6_DST_UNREACH_ADMIN, 0);
2791 state->m = NULL; /* icmp6_error freed the mbuf */
2795 /* validity check */
2796 if (isr->sav == NULL) {
2797 switch (ipsec_get_reqlevel(isr)) {
2798 case IPSEC_LEVEL_USE:
2800 case IPSEC_LEVEL_REQUIRE:
2801 /* must be not reached here. */
2802 panic("ipsec6_output_trans: no SA found, but required.");
2807 * If there is no valid SA, we give up to process.
2808 * see same place at ipsec4_output().
2810 if (isr->sav->state != SADB_SASTATE_MATURE
2811 && isr->sav->state != SADB_SASTATE_DYING) {
2812 ipsec6stat.out_nosa++;
2817 switch (isr->saidx.proto) {
2820 error = esp6_output(state->m, nexthdrp, mprev->m_next, isr);
2827 error = ah6_output(state->m, nexthdrp, mprev->m_next, isr);
2829 case IPPROTO_IPCOMP:
2830 error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, isr);
2833 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2834 "unknown ipsec protocol %d\n", isr->saidx.proto));
2836 ipsec6stat.out_inval++;
2844 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
2845 if (plen > IPV6_MAXPACKET) {
2846 ipseclog((LOG_ERR, "ipsec6_output_trans: "
2847 "IPsec with IPv6 jumbogram is not supported\n"));
2848 ipsec6stat.out_inval++;
2849 error = EINVAL; /* XXX */
2852 ip6 = mtod(state->m, struct ip6_hdr *);
2853 ip6->ip6_plen = htons(plen);
2856 /* if we have more to go, we need a tunnel mode processing */
2869 * IPsec output logic for IPv6, tunnel mode.
2872 ipsec6_output_tunnel(state, sp, flags)
2873 struct ipsec_output_state *state;
2874 struct secpolicy *sp;
2877 struct ip6_hdr *ip6;
2878 struct ipsecrequest *isr = NULL;
2879 struct secasindex saidx;
2882 struct sockaddr_in6* dst6;
2886 panic("state == NULL in ipsec6_output_tunnel");
2888 panic("state->m == NULL in ipsec6_output_tunnel");
2890 panic("sp == NULL in ipsec6_output_tunnel");
2892 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2893 printf("ipsec6_output_tunnel: applyed SP\n");
2894 kdebug_secpolicy(sp));
2897 * transport mode ipsec (before the 1st tunnel mode) is already
2898 * processed by ipsec6_output_trans().
2900 for (isr = sp->req; isr; isr = isr->next) {
2901 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
2905 for (/* already initialized */; isr; isr = isr->next) {
2906 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2907 /* When tunnel mode, SA peers must be specified. */
2908 bcopy(&isr->saidx, &saidx, sizeof(saidx));
2910 /* make SA index to look for a proper SA */
2911 struct sockaddr_in6 *sin6;
2913 bzero(&saidx, sizeof(saidx));
2914 saidx.proto = isr->saidx.proto;
2915 saidx.mode = isr->saidx.mode;
2916 saidx.reqid = isr->saidx.reqid;
2918 ip6 = mtod(state->m, struct ip6_hdr *);
2919 sin6 = (struct sockaddr_in6 *)&saidx.src;
2920 if (sin6->sin6_len == 0) {
2921 sin6->sin6_len = sizeof(*sin6);
2922 sin6->sin6_family = AF_INET6;
2923 sin6->sin6_port = IPSEC_PORT_ANY;
2924 bcopy(&ip6->ip6_src, &sin6->sin6_addr,
2925 sizeof(ip6->ip6_src));
2926 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
2927 /* fix scope id for comparing SPD */
2928 sin6->sin6_addr.s6_addr16[1] = 0;
2929 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
2932 sin6 = (struct sockaddr_in6 *)&saidx.dst;
2933 if (sin6->sin6_len == 0) {
2934 sin6->sin6_len = sizeof(*sin6);
2935 sin6->sin6_family = AF_INET6;
2936 sin6->sin6_port = IPSEC_PORT_ANY;
2937 bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
2938 sizeof(ip6->ip6_dst));
2939 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
2940 /* fix scope id for comparing SPD */
2941 sin6->sin6_addr.s6_addr16[1] = 0;
2942 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
2947 if (key_checkrequest(isr, &saidx) == ENOENT) {
2949 * IPsec processing is required, but no SA found.
2950 * I assume that key_acquire() had been called
2951 * to get/establish the SA. Here I discard
2952 * this packet because it is responsibility for
2953 * upper layer to retransmit the packet.
2955 ipsec6stat.out_nosa++;
2960 /* validity check */
2961 if (isr->sav == NULL) {
2962 switch (ipsec_get_reqlevel(isr)) {
2963 case IPSEC_LEVEL_USE:
2965 case IPSEC_LEVEL_REQUIRE:
2966 /* must be not reached here. */
2967 panic("ipsec6_output_tunnel: no SA found, but required.");
2972 * If there is no valid SA, we give up to process.
2973 * see same place at ipsec4_output().
2975 if (isr->sav->state != SADB_SASTATE_MATURE
2976 && isr->sav->state != SADB_SASTATE_DYING) {
2977 ipsec6stat.out_nosa++;
2983 * There may be the case that SA status will be changed when
2984 * we are refering to one. So calling splsoftnet().
2988 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2990 * build IPsec tunnel.
2992 /* XXX should be processed with other familiy */
2993 if (((struct sockaddr *)&isr->sav->sah->saidx.src)->sa_family != AF_INET6) {
2994 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
2995 "family mismatched between inner and outer, spi=%u\n",
2996 (u_int32_t)ntohl(isr->sav->spi)));
2998 ipsec6stat.out_inval++;
2999 error = EAFNOSUPPORT;
3003 state->m = ipsec6_splithdr(state->m);
3006 ipsec6stat.out_nomem++;
3010 error = ipsec6_encapsulate(state->m, isr->sav);
3016 ip6 = mtod(state->m, struct ip6_hdr *);
3018 state->ro = &isr->sav->sah->sa_route;
3019 state->dst = (struct sockaddr *)&state->ro->ro_dst;
3020 dst6 = (struct sockaddr_in6 *)state->dst;
3021 if (state->ro->ro_rt
3022 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
3023 || !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst))) {
3024 RTFREE(state->ro->ro_rt);
3025 state->ro->ro_rt = NULL;
3027 if (state->ro->ro_rt == 0) {
3028 bzero(dst6, sizeof(*dst6));
3029 dst6->sin6_family = AF_INET6;
3030 dst6->sin6_len = sizeof(*dst6);
3031 dst6->sin6_addr = ip6->ip6_dst;
3034 if (state->ro->ro_rt == 0) {
3035 ip6stat.ip6s_noroute++;
3036 ipsec6stat.out_noroute++;
3037 error = EHOSTUNREACH;
3041 /* adjust state->dst if tunnel endpoint is offlink */
3042 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
3043 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
3044 dst6 = (struct sockaddr_in6 *)state->dst;
3049 state->m = ipsec6_splithdr(state->m);
3051 ipsec6stat.out_nomem++;
3055 ip6 = mtod(state->m, struct ip6_hdr *);
3056 switch (isr->saidx.proto) {
3059 error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr);
3066 error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, isr);
3068 case IPPROTO_IPCOMP:
3069 /* XXX code should be here */
3072 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3073 "unknown ipsec protocol %d\n", isr->saidx.proto));
3075 ipsec6stat.out_inval++;
3083 plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
3084 if (plen > IPV6_MAXPACKET) {
3085 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3086 "IPsec with IPv6 jumbogram is not supported\n"));
3087 ipsec6stat.out_inval++;
3088 error = EINVAL; /* XXX */
3091 ip6 = mtod(state->m, struct ip6_hdr *);
3092 ip6->ip6_plen = htons(plen);
3106 * Chop IP header and option off from the payload.
3108 static struct mbuf *
3116 if (m->m_len < sizeof(struct ip))
3117 panic("ipsec4_splithdr: first mbuf too short");
3118 ip = mtod(m, struct ip *);
3120 hlen = _IP_VHL_HL(ip->ip_vhl) << 2;
3122 hlen = ip->ip_hl << 2;
3124 if (m->m_len > hlen) {
3125 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3130 M_COPY_PKTHDR(mh, m);
3132 m->m_flags &= ~M_PKTHDR;
3138 bcopy((caddr_t)ip, mtod(m, caddr_t), hlen);
3139 } else if (m->m_len < hlen) {
3140 m = m_pullup(m, hlen);
3149 static struct mbuf *
3154 struct ip6_hdr *ip6;
3157 if (m->m_len < sizeof(struct ip6_hdr))
3158 panic("ipsec6_splithdr: first mbuf too short");
3159 ip6 = mtod(m, struct ip6_hdr *);
3160 hlen = sizeof(struct ip6_hdr);
3161 if (m->m_len > hlen) {
3162 MGETHDR(mh, M_DONTWAIT, MT_HEADER);
3167 M_COPY_PKTHDR(mh, m);
3169 m->m_flags &= ~M_PKTHDR;
3175 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
3176 } else if (m->m_len < hlen) {
3177 m = m_pullup(m, hlen);
3185 /* validate inbound IPsec tunnel packet. */
3187 ipsec4_tunnel_validate(m, off, nxt0, sav)
3188 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */
3191 struct secasvar *sav;
3193 u_int8_t nxt = nxt0 & 0xff;
3194 struct sockaddr_in *sin;
3195 struct sockaddr_in osrc, odst, isrc, idst;
3197 struct secpolicy *sp;
3201 if (m->m_len < sizeof(struct ip))
3202 panic("too short mbuf on ipsec4_tunnel_validate");
3204 if (nxt != IPPROTO_IPV4)
3206 if (m->m_pkthdr.len < off + sizeof(struct ip))
3208 /* do not decapsulate if the SA is for transport mode only */
3209 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3212 oip = mtod(m, struct ip *);
3214 hlen = _IP_VHL_HL(oip->ip_vhl) << 2;
3216 hlen = oip->ip_hl << 2;
3218 if (hlen != sizeof(struct ip))
3221 /* AF_INET6 should be supported, but at this moment we don't. */
3222 sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
3223 if (sin->sin_family != AF_INET)
3225 if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != 0)
3229 bzero(&osrc, sizeof(osrc));
3230 bzero(&odst, sizeof(odst));
3231 bzero(&isrc, sizeof(isrc));
3232 bzero(&idst, sizeof(idst));
3233 osrc.sin_family = odst.sin_family = isrc.sin_family = idst.sin_family =
3235 osrc.sin_len = odst.sin_len = isrc.sin_len = idst.sin_len =
3236 sizeof(struct sockaddr_in);
3237 osrc.sin_addr = oip->ip_src;
3238 odst.sin_addr = oip->ip_dst;
3239 m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(isrc.sin_addr),
3240 (caddr_t)&isrc.sin_addr);
3241 m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(idst.sin_addr),
3242 (caddr_t)&idst.sin_addr);
3245 * RFC2401 5.2.1 (b): (assume that we are using tunnel mode)
3246 * - if the inner destination is multicast address, there can be
3247 * multiple permissible inner source address. implementation
3248 * may want to skip verification of inner source address against
3250 * - if the inner protocol is ICMP, the packet may be an error report
3251 * from routers on the other side of the VPN cloud (R in the
3252 * following diagram). in this case, we cannot verify inner source
3253 * address against SPD selector.
3254 * me -- gw === gw -- R -- you
3256 * we consider the first bullet to be users responsibility on SPD entry
3257 * configuration (if you need to encrypt multicast traffic, set
3258 * the source range of SPD selector to 0.0.0.0/0, or have explicit
3259 * address ranges for possible senders).
3260 * the second bullet is not taken care of (yet).
3262 * therefore, we do not do anything special about inner source.
3265 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3266 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3275 /* validate inbound IPsec tunnel packet. */
3277 ipsec6_tunnel_validate(m, off, nxt0, sav)
3278 struct mbuf *m; /* no pullup permitted, m->m_len >= ip */
3281 struct secasvar *sav;
3283 u_int8_t nxt = nxt0 & 0xff;
3284 struct sockaddr_in6 *sin6;
3285 struct sockaddr_in6 osrc, odst, isrc, idst;
3286 struct secpolicy *sp;
3287 struct ip6_hdr *oip6;
3290 if (m->m_len < sizeof(struct ip6_hdr))
3291 panic("too short mbuf on ipsec6_tunnel_validate");
3293 if (nxt != IPPROTO_IPV6)
3295 if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr))
3297 /* do not decapsulate if the SA is for transport mode only */
3298 if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
3301 oip6 = mtod(m, struct ip6_hdr *);
3302 /* AF_INET should be supported, but at this moment we don't. */
3303 sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst;
3304 if (sin6->sin6_family != AF_INET6)
3306 if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr))
3310 bzero(&osrc, sizeof(osrc));
3311 bzero(&odst, sizeof(odst));
3312 bzero(&isrc, sizeof(isrc));
3313 bzero(&idst, sizeof(idst));
3314 osrc.sin6_family = odst.sin6_family = isrc.sin6_family =
3315 idst.sin6_family = AF_INET6;
3316 osrc.sin6_len = odst.sin6_len = isrc.sin6_len = idst.sin6_len =
3317 sizeof(struct sockaddr_in6);
3318 osrc.sin6_addr = oip6->ip6_src;
3319 odst.sin6_addr = oip6->ip6_dst;
3320 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src),
3321 sizeof(isrc.sin6_addr), (caddr_t)&isrc.sin6_addr);
3322 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst),
3323 sizeof(idst.sin6_addr), (caddr_t)&idst.sin6_addr);
3326 * regarding to inner source address validation, see a long comment
3327 * in ipsec4_tunnel_validate.
3330 sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
3331 (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
3333 * when there is no suitable inbound policy for the packet of the ipsec
3334 * tunnel mode, the kernel never decapsulate the tunneled packet
3335 * as the ipsec tunnel mode even when the system wide policy is "none".
3336 * then the kernel leaves the generic tunnel module to process this
3337 * packet. if there is no rule of the generic tunnel, the packet
3338 * is rejected and the statistics will be counted up.
3349 * Make a mbuf chain for encryption.
3350 * If the original mbuf chain contains a mbuf with a cluster,
3351 * allocate a new cluster and copy the data to the new cluster.
3352 * XXX: this hack is inefficient, but is necessary to handle cases
3353 * of TCP retransmission...
3359 struct mbuf *n, **mpp, *mnew;
3361 for (n = m, mpp = &m; n; n = n->m_next) {
3362 if (n->m_flags & M_EXT) {
3364 * Make a copy only if there are more than one
3365 * references to the cluster.
3366 * XXX: is this approach effective?
3368 if (n->m_ext.ext_type != EXT_CLUSTER || MEXT_IS_REF(n))
3373 if (n->m_flags & M_PKTHDR) {
3374 MGETHDR(mnew, M_DONTWAIT, MT_HEADER);
3377 mnew->m_pkthdr = n->m_pkthdr;
3379 if (n->m_pkthdr.aux) {
3380 mnew->m_pkthdr.aux =
3381 m_copym(n->m_pkthdr.aux,
3382 0, M_COPYALL, M_DONTWAIT);
3385 M_COPY_PKTHDR(mnew, n);
3386 mnew->m_flags = n->m_flags & M_COPYFLAGS;
3389 MGET(mnew, M_DONTWAIT, MT_DATA);
3397 * Copy data. If we don't have enough space to
3398 * store the whole data, allocate a cluster
3399 * or additional mbufs.
3400 * XXX: we don't use m_copyback(), since the
3401 * function does not use clusters and thus is
3410 if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN))
3412 else { /* allocate a cluster */
3413 MCLGET(mm, M_DONTWAIT);
3414 if (!(mm->m_flags & M_EXT)) {
3418 len = remain < MCLBYTES ?
3422 bcopy(n->m_data + copied, mm->m_data,
3429 if (remain <= 0) /* completed? */
3432 /* need another mbuf */
3433 MGETHDR(mn, M_DONTWAIT, MT_HEADER);
3436 mn->m_pkthdr.rcvif = NULL;
3442 mm->m_next = m_free(n);
3460 static struct mbuf *
3466 n = m_aux_find(m, AF_INET, IPPROTO_ESP);
3468 n = m_aux_add(m, AF_INET, IPPROTO_ESP);
3470 return n; /* ENOBUFS */
3471 n->m_len = sizeof(struct socket *);
3472 bzero(mtod(n, void *), n->m_len);
3476 static struct mbuf *
3482 n = m_aux_find(m, AF_INET, IPPROTO_ESP);
3484 if (n && n->m_len < sizeof(struct socket *))
3485 panic("invalid ipsec m_aux");
3496 n = m_aux_find(m, AF_INET, IPPROTO_ESP);
3501 /* if the aux buffer is unnecessary, nuke it. */
3510 if (n->m_len == sizeof(struct socket *) && !*mtod(n, struct socket **))
3515 ipsec_setsocket(m, so)
3521 /* if so == NULL, don't insist on getting the aux mbuf */
3523 n = ipsec_addaux(m);
3527 n = ipsec_findaux(m);
3528 if (n && n->m_len >= sizeof(struct socket *))
3529 *mtod(n, struct socket **) = so;
3540 n = ipsec_findaux(m);
3541 if (n && n->m_len >= sizeof(struct socket *))
3542 return *mtod(n, struct socket **);
3548 ipsec_addhist(m, proto, spi)
3554 struct ipsec_history *p;
3556 n = ipsec_addaux(m);
3559 if (M_TRAILINGSPACE(n) < sizeof(*p))
3560 return ENOSPC; /* XXX */
3561 p = (struct ipsec_history *)(mtod(n, caddr_t) + n->m_len);
3562 n->m_len += sizeof(*p);
3563 bzero(p, sizeof(*p));
3564 p->ih_proto = proto;
3569 struct ipsec_history *
3570 ipsec_gethist(m, lenp)
3577 n = ipsec_findaux(m);
3581 if (sizeof(struct socket *) > l)
3583 if ((l - sizeof(struct socket *)) % sizeof(struct ipsec_history))
3585 /* XXX does it make more sense to divide by sizeof(ipsec_history)? */
3587 *lenp = l - sizeof(struct socket *);
3588 return (struct ipsec_history *)
3589 (mtod(n, caddr_t) + sizeof(struct socket *));
3598 n = ipsec_findaux(m);
3599 if ((n) && n->m_len > sizeof(struct socket *))
3600 n->m_len = sizeof(struct socket *);