ipsec.c source code [src/src/sys/netipsec/ipsec.c]

1	/ $NetBSD: ipsec.c,v 1.66 2015/04/01 02:49:44 ozaki-r Exp $ /
2	/ $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ /
3	/ $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ /
4
5	/*
6	* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7	* All rights reserved.
8	*
9	* Redistribution and use in source and binary forms, with or without
10	* modification, are permitted provided that the following conditions
11	* are met:
12	* 1. Redistributions of source code must retain the above copyright
13	* notice, this list of conditions and the following disclaimer.
14	* 2. Redistributions in binary form must reproduce the above copyright
15	* notice, this list of conditions and the following disclaimer in the
16	* documentation and/or other materials provided with the distribution.
17	* 3. Neither the name of the project nor the names of its contributors
18	* may be used to endorse or promote products derived from this software
19	* without specific prior written permission.
20	*
21	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31	* SUCH DAMAGE.
32	*/
33
34	#include <sys/cdefs.h>
35	__KERNEL_RCSID(`0`, "$NetBSD: ipsec.c,v 1.66 2015/04/01 02:49:44 ozaki-r Exp $");
36
37	/*
38	* IPsec controller part.
39	*/
40
41	#include "opt_inet.h"
42	#ifdef __FreeBSD__
43	#include "opt_inet6.h"
44	#endif
45	#include "opt_ipsec.h"
46
47	#include <sys/param.h>
48	#include <sys/systm.h>
49	#include <sys/malloc.h>
50	#include <sys/mbuf.h>
51	#include <sys/domain.h>
52	#include <sys/protosw.h>
53	#include <sys/socket.h>
54	#include <sys/socketvar.h>
55	#include <sys/errno.h>
56	#include <sys/time.h>
57	#include <sys/kernel.h>
58	#include <sys/syslog.h>
59	#include <sys/sysctl.h>
60	#include <sys/proc.h>
61	#include <sys/kauth.h>
62
63	#include <net/if.h>
64	#include <net/route.h>
65
66	#include <netinet/in.h>
67	#include <netinet/in_systm.h>
68	#include <netinet/ip.h>
69	#include <netinet/ip_var.h>
70	#include <netinet/in_var.h>
71	#include <netinet/udp.h>
72	#include <netinet/udp_var.h>
73	#include <netinet/tcp.h>
74	#include <netinet/udp.h>
75	#include <netinet/ip_icmp.h>
76	#include <netinet/ip_private.h>
77
78	#include <netinet/ip6.h>
79	#ifdef INET6
80	#include <netinet6/ip6_var.h>
81	#endif
82	#include <netinet/in_pcb.h>
83	#ifdef INET6
84	#include <netinet6/in6_pcb.h>
85	#include <netinet/icmp6.h>
86	#endif
87
88	#include <netipsec/ipsec.h>
89	#include <netipsec/ipsec_var.h>
90	#include <netipsec/ipsec_private.h>
91	#ifdef INET6
92	#include <netipsec/ipsec6.h>
93	#endif
94	#include <netipsec/ah_var.h>
95	#include <netipsec/esp_var.h>
96	#include <netipsec/ipcomp.h> /XXX/
97	#include <netipsec/ipcomp_var.h>
98
99	#include <netipsec/key.h>
100	#include <netipsec/keydb.h>
101	#include <netipsec/key_debug.h>
102
103	#include <netipsec/xform.h>
104
105	#include <netipsec/ipsec_osdep.h>
106
107	#include <net/net_osdep.h>
108
109	int ipsec_used = `0`;
110	int ipsec_enabled = `1`;
111
112	#ifdef IPSEC_DEBUG
113	int ipsec_debug = `1`;
114
115	/*
116	* When set to 1, IPsec will send packets with the same sequence number.
117	* This allows to verify if the other side has proper replay attacks detection.
118	*/
119	int ipsec_replay = `0`;
120
121	/*
122	* When set 1, IPsec will send packets with corrupted HMAC.
123	* This allows to verify if the other side properly detects modified packets.
124	*/
125	int ipsec_integrity = `0`;
126	#else
127	int ipsec_debug = `0`;
128	#endif
129
130	percpu_t *ipsecstat_percpu;
131	int ip4_ah_offsetmask = `0`; / maybe IP_DF? /
132	int ip4_ipsec_dfbit = `2`; / DF bit on encap. 0: clear 1: set 2: copy /
133	int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
134	int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
135	int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
136	int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
137	struct secpolicy ip4_def_policy;
138	int ip4_ipsec_ecn = `0`; / ECN ignore(-1)/forbidden(0)/allowed(1) /
139	int ip4_esp_randpad = -`1`;
140
141	#ifdef __NetBSD__
142	u_int ipsec_spdgen = `1`; / SPD generation # /
143
144	static struct secpolicy ipsec_checkpcbcache (struct* mbuf *,
145	struct inpcbpolicy , int*);
146	static int ipsec_fillpcbcache (struct inpcbpolicy , struct* mbuf *,
147	struct secpolicy , int*);
148	static int ipsec_invalpcbcache (struct inpcbpolicy , int*);
149	#endif /* __NetBSD__ */
150
151	/*
152	* Crypto support requirements:
153	*
154	* 1 require hardware support
155	* -1 require software support
156	* 0 take anything
157	*/
158	int crypto_support = `0`;
159
160	static struct secpolicy ipsec_getpolicybysock(struct* mbuf *, u_int,
161	PCB_T , int* *);
162
163	#ifdef __FreeBSD__
164	SYSCTL_DECL(_net_inet_ipsec);
165
166	/ net.inet.ipsec /
167	SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY,
168	def_policy, CTLFLAG_RW, &ip4_def_policy.policy, `0`, "");
169	SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
170	CTLFLAG_RW, &ip4_esp_trans_deflev, `0`, "");
171	SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
172	CTLFLAG_RW, &ip4_esp_net_deflev, `0`, "");
173	SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
174	CTLFLAG_RW, &ip4_ah_trans_deflev, `0`, "");
175	SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
176	CTLFLAG_RW, &ip4_ah_net_deflev, `0`, "");
177	SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
178	ah_cleartos, CTLFLAG_RW, &ip4_ah_cleartos, `0`, "");
179	SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
180	ah_offsetmask, CTLFLAG_RW, &ip4_ah_offsetmask, `0`, "");
181	SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT,
182	dfbit, CTLFLAG_RW, &ip4_ipsec_dfbit, `0`, "");
183	SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN,
184	ecn, CTLFLAG_RW, &ip4_ipsec_ecn, `0`, "");
185	SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG,
186	debug, CTLFLAG_RW, &ipsec_debug, `0`, "");
187	SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD,
188	esp_randpad, CTLFLAG_RW, &ip4_esp_randpad, `0`, "");
189	SYSCTL_INT(_net_inet_ipsec, OID_AUTO,
190	crypto_support, CTLFLAG_RW, &crypto_support,`0`, "");
191	SYSCTL_STRUCT(_net_inet_ipsec, OID_AUTO,
192	ipsecstats, CTLFLAG_RD, &newipsecstat, newipsecstat, "");
193	SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_replay, CTLFLAG_RW, &ipsec_replay, `0`,
194	"Emulate replay attack");
195	SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_integrity, CTLFLAG_RW,
196	&ipsec_integrity, `0`, "Emulate man-in-the-middle attack");
197	#endif /* __FreeBSD__ */
198
199	#ifdef INET6
200	int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
201	int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
202	int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
203	int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
204	struct secpolicy ip6_def_policy;
205	int ip6_ipsec_ecn = `0`; / ECN ignore(-1)/forbidden(0)/allowed(1) /
206	int ip6_esp_randpad = -`1`;
207
208
209	#ifdef __FreeBSD__
210	SYSCTL_DECL(_net_inet6_ipsec6);
211
212	/ net.inet6.ipsec6 /
213	#ifdef COMPAT_KAME
214	SYSCTL_OID(_net_inet6_ipsec6, IPSECCTL_STATS, stats, CTLFLAG_RD,
215	`0`,`0`, compat_ipsecstats_sysctl, "S", "");
216	#endif /* COMPAT_KAME */
217	SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
218	def_policy, CTLFLAG_RW, &ip4_def_policy.policy, `0`, "");
219	SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
220	CTLFLAG_RW, &ip6_esp_trans_deflev, `0`, "");
221	SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
222	CTLFLAG_RW, &ip6_esp_net_deflev, `0`, "");
223	SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
224	CTLFLAG_RW, &ip6_ah_trans_deflev, `0`, "");
225	SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
226	CTLFLAG_RW, &ip6_ah_net_deflev, `0`, "");
227	SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
228	ecn, CTLFLAG_RW, &ip6_ipsec_ecn, `0`, "");
229	SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG,
230	debug, CTLFLAG_RW, &ipsec_debug, `0`, "");
231	SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
232	esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, `0`, "");
233	#endif /* __FreeBSD__ */
234	#endif /* INET6 */
235
236	static int ipsec4_setspidx_inpcb (struct mbuf , struct* inpcb *);
237	#ifdef INET6
238	static int ipsec6_setspidx_in6pcb (struct mbuf , struct* in6pcb *);
239	#endif
240	static int ipsec_setspidx (struct mbuf , struct* secpolicyindex , int*);
241	static void ipsec4_get_ulp (struct mbuf m, struct* secpolicyindex , int*);
242	static int ipsec4_setspidx_ipaddr (struct mbuf , struct* secpolicyindex *);
243	#ifdef INET6
244	static void ipsec6_get_ulp (struct mbuf m, struct* secpolicyindex , int*);
245	static int ipsec6_setspidx_ipaddr (struct mbuf , struct* secpolicyindex *);
246	#endif
247	static void ipsec_delpcbpolicy (struct inpcbpolicy *);
248	static struct secpolicy ipsec_deepcopy_policy (const* struct secpolicy *);
249	static int ipsec_set_policy (struct secpolicy *, int, const* void *, size_t,
250	kauth_cred_t);
251	static int ipsec_get_policy (struct secpolicy , struct* mbuf **);
252	static void vshiftl (unsigned char , int, int*);
253	static size_t ipsec_hdrsiz (const struct secpolicy *);
254
255	#ifdef __NetBSD__
256	/*
257	* Try to validate and use cached policy on a PCB.
258	*/
259	static struct secpolicy *
260	ipsec_checkpcbcache(struct mbuf m, struct* inpcbpolicy pcbsp, int* dir)
261	{
262	struct secpolicyindex spidx;
263
264	switch (dir) {
265	case IPSEC_DIR_INBOUND:
266	case IPSEC_DIR_OUTBOUND:
267	case IPSEC_DIR_ANY:
268	break;
269	default:
270	return NULL;
271	}
272	#ifdef DIAGNOSTIC
273	if (pcbsp == NULL) {
274	printf("%s: NULL pcbsp\n", __func__);
275	/ XXX panic? /
276	return NULL;
277	}
278	#endif
279
280	#ifdef DIAGNOSTIC
281	if (dir >= sizeof(pcbsp->sp_cache)/sizeof(pcbsp->sp_cache[`0`]))
282	panic("dir too big in ipsec_checkpcbcache");
283	#endif
284	/ SPD table change invalidate all the caches. /
285	if (ipsec_spdgen != pcbsp->sp_cache[dir].cachegen) {
286	ipsec_invalpcbcache(pcbsp, dir);
287	return NULL;
288	}
289	if (!pcbsp->sp_cache[dir].cachesp)
290	return NULL;
291	if (pcbsp->sp_cache[dir].cachesp->state != IPSEC_SPSTATE_ALIVE) {
292	ipsec_invalpcbcache(pcbsp, dir);
293	return NULL;
294	}
295	if ((pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) == `0`) {
296	if (!pcbsp->sp_cache[dir].cachesp)
297	return NULL;
298	if (ipsec_setspidx(m, &spidx, `1`) != `0`)
299	return NULL;
300
301	/*
302	* We have to make an exact match here since the cached rule
303	* might have lower priority than a rule that would otherwise
304	* have matched the packet.
305	*/
306
307	if (memcmp(&pcbsp->sp_cache[dir].cacheidx, &spidx, sizeof(spidx)))
308	return NULL;
309
310	} else {
311	/*
312	* The pcb is connected, and the L4 code is sure that:
313	* - outgoing side uses inp_[lf]addr
314	* - incoming side looks up policy after inpcb lookup
315	* and address pair is know to be stable. We do not need
316	* to generate spidx again, nor check the address match again.
317	*
318	* For IPv4/v6 SOCK_STREAM sockets, this assumptions holds
319	* and there are calls to ipsec_pcbconn() from in_pcbconnect().
320	*/
321	}
322
323	pcbsp->sp_cache[dir].cachesp->lastused = time_second;
324	pcbsp->sp_cache[dir].cachesp->refcnt++;
325	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
326	printf("DP %s cause refcnt++:%d SP:%p\n", __func__,
327	pcbsp->sp_cache[dir].cachesp->refcnt,
328	pcbsp->sp_cache[dir].cachesp));
329	return pcbsp->sp_cache[dir].cachesp;
330	}
331
332	static int
333	ipsec_fillpcbcache(struct inpcbpolicy pcbsp, struct* mbuf *m,
334	struct secpolicy sp, int* dir)
335	{
336
337	switch (dir) {
338	case IPSEC_DIR_INBOUND:
339	case IPSEC_DIR_OUTBOUND:
340	break;
341	default:
342	return EINVAL;
343	}
344	#ifdef DIAGNOSTIC
345	if (dir >= sizeof(pcbsp->sp_cache)/sizeof(pcbsp->sp_cache[`0`]))
346	panic("dir too big in ipsec_fillpcbcache");
347	#endif
348
349	if (pcbsp->sp_cache[dir].cachesp)
350	KEY_FREESP(&pcbsp->sp_cache[dir].cachesp);
351	pcbsp->sp_cache[dir].cachesp = NULL;
352	pcbsp->sp_cache[dir].cachehint = IPSEC_PCBHINT_MAYBE;
353	if (ipsec_setspidx(m, &pcbsp->sp_cache[dir].cacheidx, `1`) != `0`) {
354	return EINVAL;
355	}
356	pcbsp->sp_cache[dir].cachesp = sp;
357	if (pcbsp->sp_cache[dir].cachesp) {
358	pcbsp->sp_cache[dir].cachesp->refcnt++;
359	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
360	printf("DP %s cause refcnt++:%d SP:%p\n", __func__,
361	pcbsp->sp_cache[dir].cachesp->refcnt,
362	pcbsp->sp_cache[dir].cachesp));
363
364	/*
365	* If the PCB is connected, we can remember a hint to
366	* possibly short-circuit IPsec processing in other places.
367	*/
368	if (pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) {
369	switch (pcbsp->sp_cache[dir].cachesp->policy) {
370	case IPSEC_POLICY_NONE:
371	case IPSEC_POLICY_BYPASS:
372	pcbsp->sp_cache[dir].cachehint =
373	IPSEC_PCBHINT_NO;
374	break;
375	default:
376	pcbsp->sp_cache[dir].cachehint =
377	IPSEC_PCBHINT_YES;
378	}
379	}
380	}
381	pcbsp->sp_cache[dir].cachegen = ipsec_spdgen;
382
383	return `0`;
384	}
385
386	static int
387	ipsec_invalpcbcache(struct inpcbpolicy pcbsp, int* dir)
388	{
389	int i;
390
391	for (i = IPSEC_DIR_INBOUND; i <= IPSEC_DIR_OUTBOUND; i++) {
392	if (dir != IPSEC_DIR_ANY && i != dir)
393	continue;
394	if (pcbsp->sp_cache[i].cachesp)
395	KEY_FREESP(&pcbsp->sp_cache[i].cachesp);
396	pcbsp->sp_cache[i].cachesp = NULL;
397	pcbsp->sp_cache[i].cachehint = IPSEC_PCBHINT_MAYBE;
398	pcbsp->sp_cache[i].cachegen = `0`;
399	memset(&pcbsp->sp_cache[i].cacheidx, `0`,
400	sizeof(pcbsp->sp_cache[i].cacheidx));
401	}
402	return `0`;
403	}
404
405	void
406	ipsec_pcbconn(struct inpcbpolicy *pcbsp)
407	{
408
409	pcbsp->sp_cacheflags \|= IPSEC_PCBSP_CONNECTED;
410	ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
411	}
412
413	void
414	ipsec_pcbdisconn(struct inpcbpolicy *pcbsp)
415	{
416
417	pcbsp->sp_cacheflags &= ~IPSEC_PCBSP_CONNECTED;
418	ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
419	}
420
421	void
422	ipsec_invalpcbcacheall(void)
423	{
424
425	if (ipsec_spdgen == UINT_MAX)
426	ipsec_spdgen = `1`;
427	else
428	ipsec_spdgen++;
429	}
430	#endif /* __NetBSD__ */
431
432	/*
433	* Return a held reference to the default SP.
434	*/
435	static struct secpolicy *
436	key_allocsp_default(int af, const char where, int* tag)
437	{
438	struct secpolicy *sp;
439
440	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
441	printf("DP %s from %s:%u\n", __func__, where, tag));
442
443	switch(af) {
444	case AF_INET:
445	sp = &ip4_def_policy;
446	break;
447	#ifdef INET6
448	case AF_INET6:
449	sp = &ip6_def_policy;
450	break;
451	#endif
452	default:
453	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
454	printf("%s: unexpected protocol family %u\n", __func__,
455	af));
456	return NULL;
457	}
458
459	if (sp->policy != IPSEC_POLICY_DISCARD &&
460	sp->policy != IPSEC_POLICY_NONE) {
461	ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n",
462	sp->policy, IPSEC_POLICY_NONE));
463	sp->policy = IPSEC_POLICY_NONE;
464	}
465	sp->refcnt++;
466
467	KEYDEBUG(KEYDEBUG_IPSEC_STAMP, printf("DP %s returns SP:%p (%u)\n",
468	__func__, sp, sp->refcnt));
469	return sp;
470	}
471	#define KEY_ALLOCSP_DEFAULT(af) \
472	key_allocsp_default((af),__FILE__, __LINE__)
473
474	/*
475	* For OUTBOUND packet having a socket. Searching SPD for packet,
476	* and return a pointer to SP.
477	* OUT: NULL: no apropreate SP found, the following value is set to error.
478	* 0 : bypass
479	* EACCES : discard packet.
480	* ENOENT : ipsec_acquire() in progress, maybe.
481	* others : error occurred.
482	* others: a pointer to SP
483	*
484	* NOTE: IPv6 mapped address concern is implemented here.
485	*/
486	struct secpolicy *
487	ipsec_getpolicy(const struct tdb_ident *tdbi, u_int dir)
488	{
489	struct secpolicy *sp;
490
491	IPSEC_ASSERT(tdbi != NULL, ("%s: null tdbi", __func__));
492	IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND \|\| dir == IPSEC_DIR_OUTBOUND,
493	("%s: invalid direction %u", __func__, dir));
494
495	sp = KEY_ALLOCSP2(tdbi->spi, &tdbi->dst, tdbi->proto, dir);
496	if (sp == NULL) /XXX????/
497	sp = KEY_ALLOCSP_DEFAULT(tdbi->dst.sa.sa_family);
498	IPSEC_ASSERT(sp != NULL, ("%s: null SP", __func__));
499	return sp;
500	}
501
502	/*
503	* For OUTBOUND packet having a socket. Searching SPD for packet,
504	* and return a pointer to SP.
505	* OUT: NULL: no apropreate SP found, the following value is set to error.
506	* 0 : bypass
507	* EACCES : discard packet.
508	* ENOENT : ipsec_acquire() in progress, maybe.
509	* others : error occurred.
510	* others: a pointer to SP
511	*
512	* NOTE: IPv6 mapped address concern is implemented here.
513	*/
514	static struct secpolicy *
515	ipsec_getpolicybysock(struct mbuf m, u_int dir, PCB_T inp, int *error)
516	{
517	struct inpcbpolicy *pcbsp = NULL;
518	struct secpolicy currsp = NULL; /* policy on socket /
519	struct secpolicy *sp;
520	int af;
521
522	IPSEC_ASSERT(m != NULL, ("%s: null mbuf", __func__));
523	IPSEC_ASSERT(inp != NULL, ("%s: null inpcb", __func__));
524	IPSEC_ASSERT(error != NULL, ("%s: null error", __func__));
525	IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND \|\| dir == IPSEC_DIR_OUTBOUND,
526	("%s: invalid direction %u", __func__, dir));
527
528	IPSEC_ASSERT(PCB_SOCKET(inp) != NULL, ("%s: null socket", __func__));
529
530	/ XXX FIXME inpcb/in6pcb vs socket/
531	af = PCB_FAMILY(inp);
532	IPSEC_ASSERT(af == AF_INET \|\| af == AF_INET6,
533	("%s: unexpected protocol family %u", __func__, af));
534
535	#ifdef __NetBSD__
536	IPSEC_ASSERT(inp->inph_sp != NULL, ("null PCB policy cache"));
537	/ If we have a cached entry, and if it is still valid, use it. /
538	IPSEC_STATINC(IPSEC_STAT_SPDCACHELOOKUP);
539	currsp = ipsec_checkpcbcache(m, /inpcb_hdr/inp->inph_sp, dir);
540	if (currsp) {
541	*error = `0`;
542	return currsp;
543	}
544	IPSEC_STATINC(IPSEC_STAT_SPDCACHEMISS);
545	#endif /* __NetBSD__ */
546
547	switch (af) {
548	case AF_INET: {
549	struct inpcb *in4p = PCB_TO_IN4PCB(inp);
550	/ set spidx in pcb /
551	*error = ipsec4_setspidx_inpcb(m, in4p);
552	pcbsp = in4p->inp_sp;
553	break;
554	}
555
556	#if defined(INET6)
557	case AF_INET6: {
558	struct in6pcb *in6p = PCB_TO_IN6PCB(inp);
559	/ set spidx in pcb /
560	*error = ipsec6_setspidx_in6pcb(m, in6p);
561	pcbsp = in6p->in6p_sp;
562	break;
563	}
564	#endif
565	default:
566	*error = EPFNOSUPPORT;
567	break;
568	}
569	if (*error)
570	return NULL;
571
572	IPSEC_ASSERT(pcbsp != NULL, ("%s: null pcbsp", __func__));
573	switch (dir) {
574	case IPSEC_DIR_INBOUND:
575	currsp = pcbsp->sp_in;
576	break;
577	case IPSEC_DIR_OUTBOUND:
578	currsp = pcbsp->sp_out;
579	break;
580	}
581	IPSEC_ASSERT(currsp != NULL, ("%s: null currsp", __func__));
582
583	if (pcbsp->priv) { / when privilieged socket /
584	switch (currsp->policy) {
585	case IPSEC_POLICY_BYPASS:
586	case IPSEC_POLICY_IPSEC:
587	currsp->refcnt++;
588	sp = currsp;
589	break;
590
591	case IPSEC_POLICY_ENTRUST:
592	/ look for a policy in SPD /
593	sp = KEY_ALLOCSP(&currsp->spidx, dir);
594	if (sp == NULL) / no SP found /
595	sp = KEY_ALLOCSP_DEFAULT(af);
596	break;
597
598	default:
599	ipseclog((LOG_ERR, "%s: Invalid policy for PCB %d\n",
600	__func__, currsp->policy));
601	*error = EINVAL;
602	return NULL;
603	}
604	} else { / unpriv, SPD has policy /
605	sp = KEY_ALLOCSP(&currsp->spidx, dir);
606	if (sp == NULL) { / no SP found /
607	switch (currsp->policy) {
608	case IPSEC_POLICY_BYPASS:
609	ipseclog((LOG_ERR, "%s: Illegal policy for "
610	"non-priviliged defined %d\n", __func__,
611	currsp->policy));
612	*error = EINVAL;
613	return NULL;
614
615	case IPSEC_POLICY_ENTRUST:
616	sp = KEY_ALLOCSP_DEFAULT(af);
617	break;
618
619	case IPSEC_POLICY_IPSEC:
620	currsp->refcnt++;
621	sp = currsp;
622	break;
623
624	default:
625	ipseclog((LOG_ERR, "%s: Invalid policy for "
626	"PCB %d\n", __func__, currsp->policy));
627	*error = EINVAL;
628	return NULL;
629	}
630	}
631	}
632	IPSEC_ASSERT(sp != NULL,
633	("%s: null SP (priv %u policy %u", __func__, pcbsp->priv,
634	currsp->policy));
635	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
636	printf("DP %s (priv %u policy %u) allocates SP:%p (refcnt %u)\n",
637	__func__, pcbsp->priv, currsp->policy, sp, sp->refcnt));
638	#ifdef __NetBSD__
639	ipsec_fillpcbcache(pcbsp, m, sp, dir);
640	#endif /* __NetBSD__ */
641	return sp;
642	}
643
644	/*
645	* For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
646	* and return a pointer to SP.
647	* OUT: positive: a pointer to the entry for security policy leaf matched.
648	* NULL: no apropreate SP found, the following value is set to error.
649	* 0 : bypass
650	* EACCES : discard packet.
651	* ENOENT : ipsec_acquire() in progress, maybe.
652	* others : error occurred.
653	*/
654	struct secpolicy *
655	ipsec_getpolicybyaddr(struct mbuf m, u_int dir, int* flag, int *error)
656	{
657	struct secpolicyindex spidx;
658	struct secpolicy *sp;
659
660	IPSEC_ASSERT(m != NULL, ("%s: null mbuf", __func__));
661	IPSEC_ASSERT(error != NULL, ("%s: null error", __func__));
662	IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND \|\| dir == IPSEC_DIR_OUTBOUND,
663	("%s: invalid direction %u", __func__, dir));
664
665	sp = NULL;
666
667	/ Make an index to look for a policy. /
668	*error = ipsec_setspidx(m, &spidx, (flag & IP_FORWARDING) ? `0` : `1`);
669	if (*error != `0`) {
670	DPRINTF(("%s: setpidx failed, dir %u flag %u\n", __func__,
671	dir, flag));
672	memset(&spidx, `0`, sizeof (spidx));
673	return NULL;
674	}
675
676	spidx.dir = dir;
677
678	if (key_havesp(dir)) {
679	sp = KEY_ALLOCSP(&spidx, dir);
680	}
681
682	if (sp == NULL) / no SP found, use system default /
683	sp = KEY_ALLOCSP_DEFAULT(spidx.dst.sa.sa_family);
684	IPSEC_ASSERT(sp != NULL, ("%s: null SP", __func__));
685	return sp;
686	}
687
688	struct secpolicy *
689	ipsec4_checkpolicy(struct mbuf m, u_int dir, u_int flag, int* *error,
690	struct inpcb *inp)
691	{
692	struct secpolicy *sp;
693
694	*error = `0`;
695
696
697	/ XXX KAME IPv6 calls us with non-null inp but bogus inp_socket? /
698	if (inp == NULL \|\| inp->inp_socket == NULL) {
699	sp = ipsec_getpolicybyaddr(m, dir, flag, error);
700	} else
701	sp = ipsec_getpolicybysock(m, dir, IN4PCB_TO_PCB(inp), error);
702	if (sp == NULL) {
703	IPSEC_ASSERT(*error != `0`,
704	("%s: getpolicy failed w/o error", __func__));
705	IPSEC_STATINC(IPSEC_STAT_OUT_INVAL);
706	return NULL;
707	}
708	IPSEC_ASSERT(error == `0`, ("%s: sp w/ error set to %u", __func__*,
709	*error));
710	switch (sp->policy) {
711	case IPSEC_POLICY_ENTRUST:
712	default:
713	printf("%s: invalid policy %u\n", __func__, sp->policy);
714	/ fall thru... /
715	case IPSEC_POLICY_DISCARD:
716	IPSEC_STATINC(IPSEC_STAT_OUT_POLVIO);
717	error = -EINVAL; /* packet is discarded by caller /
718	break;
719	case IPSEC_POLICY_BYPASS:
720	case IPSEC_POLICY_NONE:
721	KEY_FREESP(&sp);
722	sp = NULL; / NB: force NULL result /
723	break;
724	case IPSEC_POLICY_IPSEC:
725	if (sp->req == NULL) / acquire an SA /
726	*error = key_spdacquire(sp);
727	break;
728	}
729	if (*error != `0`) {
730	KEY_FREESP(&sp);
731	sp = NULL;
732	DPRINTF(("%s: done, error %d\n", __func__, *error));
733	}
734	return sp;
735	}
736
737	int
738	ipsec4_output(struct mbuf m, struct* socket so, int* flags,
739	struct secpolicy *sp_out, u_long mtu, bool natt_frag, bool done)
740	{
741	const struct ip ip = mtod(m, const* struct ip *);
742	struct secpolicy *sp = NULL;
743	struct inpcb *inp;
744	int error, s;
745
746	inp = (so && so->so_proto->pr_domain->dom_family == AF_INET) ?
747	(struct inpcb *)so->so_pcb : NULL;
748
749	/*
750	* Check the security policy (SP) for the packet and, if required,
751	* do IPsec-related processing. There are two cases here; the first
752	* time a packet is sent through it will be untagged and handled by
753	* ipsec4_checkpolicy(). If the packet is resubmitted to ip_output
754	* (e.g. after AH, ESP, etc. processing), there will be a tag to
755	* bypass the lookup and related policy checking.
756	*/
757	if (ipsec_outdone(m)) {
758	return `0`;
759	}
760	s = splsoftnet();
761	if (inp && IPSEC_PCB_SKIP_IPSEC(inp->inp_sp, IPSEC_DIR_OUTBOUND)) {
762	splx(s);
763	return `0`;
764	}
765	sp = ipsec4_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, inp);
766
767	/*
768	* There are four return cases:
769	* sp != NULL apply IPsec policy
770	* sp == NULL, error == 0 no IPsec handling needed
771	* sp == NULL, error == -EINVAL discard packet w/o error
772	* sp == NULL, error != 0 discard packet, report error
773	*/
774	if (sp == NULL) {
775	splx(s);
776	if (error) {
777	/*
778	* Hack: -EINVAL is used to signal that a packet
779	* should be silently discarded. This is typically
780	* because we asked key management for an SA and
781	* it was delayed (e.g. kicked up to IKE).
782	*/
783	if (error == -EINVAL)
784	error = `0`;
785	m_freem(m);
786	*done = true;
787	return error;
788	}
789	/ No IPsec processing for this packet. /
790	return `0`;
791	}
792	*sp_out = sp;
793
794	/*
795	* NAT-T ESP fragmentation: do not do IPSec processing now,
796	* we will do it on each fragmented packet.
797	*/
798	if (sp->req->sav && (sp->req->sav->natt_type &
799	(UDP_ENCAP_ESPINUDP\|UDP_ENCAP_ESPINUDP_NON_IKE))) {
800	if (ntohs(ip->ip_len) > sp->req->sav->esp_frag) {
801	*mtu = sp->req->sav->esp_frag;
802	*natt_frag = true;
803	splx(s);
804	return `0`;
805	}
806	}
807
808	/*
809	* Do delayed checksums now because we send before
810	* this is done in the normal processing path.
811	*/
812	if (m->m_pkthdr.csum_flags & (M_CSUM_TCPv4\|M_CSUM_UDPv4)) {
813	in_delayed_cksum(m);
814	m->m_pkthdr.csum_flags &= ~(M_CSUM_TCPv4\|M_CSUM_UDPv4);
815	}
816
817	/ Note: callee frees mbuf /
818	error = ipsec4_process_packet(m, sp->req, flags, `0`);
819	/*
820	* Preserve KAME behaviour: ENOENT can be returned
821	* when an SA acquire is in progress. Don't propagate
822	* this to user-level; it confuses applications.
823	*
824	* XXX this will go away when the SADB is redone.
825	*/
826	if (error == ENOENT)
827	error = `0`;
828	splx(s);
829	*done = true;
830	return error;
831	}
832
833	int
834	ipsec4_input(struct mbuf m, int* flags)
835	{
836	struct m_tag *mtag;
837	struct tdb_ident *tdbi;
838	struct secpolicy *sp;
839	int error, s;
840
841	/*
842	* Check if the packet has already had IPsec processing done.
843	* If so, then just pass it along. This tag gets set during AH,
844	* ESP, etc. input handling, before the packet is returned to
845	* the IP input queue for delivery.
846	*/
847	mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
848	s = splsoftnet();
849	if (mtag != NULL) {
850	tdbi = (struct tdb_ident *)(mtag + `1`);
851	sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
852	} else {
853	sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
854	IP_FORWARDING, &error);
855	}
856	if (sp == NULL) {
857	splx(s);
858	return EINVAL;
859	}
860
861	/*
862	* Check security policy against packet attributes.
863	*/
864	error = ipsec_in_reject(sp, m);
865	KEY_FREESP(&sp);
866	splx(s);
867	if (error) {
868	return error;
869	}
870
871	if (flags == `0`) {
872	/ We are done. /
873	return `0`;
874	}
875
876	/*
877	* Peek at the outbound SP for this packet to determine if
878	* it is a Fast Forward candidate.
879	*/
880	mtag = m_tag_find(m, PACKET_TAG_IPSEC_PENDING_TDB, NULL);
881	if (mtag != NULL) {
882	m->m_flags &= ~M_CANFASTFWD;
883	return `0`;
884	}
885
886	s = splsoftnet();
887	sp = ipsec4_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, NULL);
888	if (sp != NULL) {
889	m->m_flags &= ~M_CANFASTFWD;
890	KEY_FREESP(&sp);
891	}
892	splx(s);
893	return `0`;
894	}
895
896	int
897	ipsec4_forward(struct mbuf m, int* *destmtu)
898	{
899	/*
900	* If the packet is routed over IPsec tunnel, tell the
901	* originator the tunnel MTU.
902	* tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz
903	* XXX quickhack!!!
904	*/
905	struct secpolicy *sp;
906	size_t ipsechdr;
907	int error;
908
909	sp = ipsec4_getpolicybyaddr(m,
910	IPSEC_DIR_OUTBOUND, IP_FORWARDING, &error);
911	if (sp == NULL) {
912	return EINVAL;
913	}
914
915	/ Count IPsec header size. /
916	ipsechdr = ipsec4_hdrsiz(m, IPSEC_DIR_OUTBOUND, NULL);
917
918	/*
919	* Find the correct route for outer IPv4 header, compute tunnel MTU.
920	*/
921	if (sp->req && sp->req->sav && sp->req->sav->sah) {
922	struct route *ro;
923	struct rtentry *rt;
924
925	ro = &sp->req->sav->sah->sa_route;
926	rt = rtcache_validate(ro);
927	if (rt && rt->rt_ifp) {
928	*destmtu = rt->rt_rmx.rmx_mtu ?
929	rt->rt_rmx.rmx_mtu : rt->rt_ifp->if_mtu;
930	*destmtu -= ipsechdr;
931	}
932	}
933	KEY_FREESP(&sp);
934	return `0`;
935	}
936
937	#ifdef INET6
938	struct secpolicy *
939	ipsec6_checkpolicy(struct mbuf m, u_int dir, u_int flag, int* *error,
940	struct in6pcb *in6p)
941	{
942	struct secpolicy *sp;
943
944	*error = `0`;
945
946
947	/ XXX KAME IPv6 calls us with non-null inp but bogus inp_socket? /
948	if (in6p == NULL \|\| in6p->in6p_socket == NULL) {
949	sp = ipsec_getpolicybyaddr(m, dir, flag, error);
950	} else
951	sp = ipsec_getpolicybysock(m, dir, IN6PCB_TO_PCB(in6p), error);
952	if (sp == NULL) {
953	IPSEC_ASSERT(*error != `0`, ("%s: getpolicy failed w/o error",
954	__func__));
955	IPSEC_STATINC(IPSEC_STAT_OUT_INVAL);
956	return NULL;
957	}
958	IPSEC_ASSERT(error == `0`, ("%s: sp w/ error set to %u", __func__*,
959	*error));
960	switch (sp->policy) {
961	case IPSEC_POLICY_ENTRUST:
962	default:
963	printf("%s: invalid policy %u\n", __func__, sp->policy);
964	/ fall thru... /
965	case IPSEC_POLICY_DISCARD:
966	IPSEC_STATINC(IPSEC_STAT_OUT_POLVIO);
967	error = -EINVAL; /* packet is discarded by caller /
968	break;
969	case IPSEC_POLICY_BYPASS:
970	case IPSEC_POLICY_NONE:
971	KEY_FREESP(&sp);
972	sp = NULL; / NB: force NULL result /
973	break;
974	case IPSEC_POLICY_IPSEC:
975	if (sp->req == NULL) / acquire an SA /
976	*error = key_spdacquire(sp);
977	break;
978	}
979	if (*error != `0`) {
980	KEY_FREESP(&sp);
981	sp = NULL;
982	DPRINTF(("%s: done, error %d\n", __func__, *error));
983	}
984	return sp;
985	}
986	#endif /* INET6 */
987
988	static int
989	ipsec4_setspidx_inpcb(struct mbuf m, struct* inpcb *pcb)
990	{
991	int error;
992
993	IPSEC_ASSERT(pcb != NULL, ("%s: null pcb", __func__));
994	IPSEC_ASSERT(pcb->inp_sp != NULL, ("%s: null inp_sp", __func__));
995	IPSEC_ASSERT(pcb->inp_sp->sp_out != NULL && pcb->inp_sp->sp_in != NULL,
996	("%s: null sp_in \|\| sp_out", __func__));
997
998	error = ipsec_setspidx(m, &pcb->inp_sp->sp_in->spidx, `1`);
999	if (error == `0`) {
1000	pcb->inp_sp->sp_in->spidx.dir = IPSEC_DIR_INBOUND;
1001	pcb->inp_sp->sp_out->spidx = pcb->inp_sp->sp_in->spidx;
1002	pcb->inp_sp->sp_out->spidx.dir = IPSEC_DIR_OUTBOUND;
1003	} else {
1004	memset(&pcb->inp_sp->sp_in->spidx, `0`,
1005	sizeof (pcb->inp_sp->sp_in->spidx));
1006	memset(&pcb->inp_sp->sp_out->spidx, `0`,
1007	sizeof (pcb->inp_sp->sp_in->spidx));
1008	}
1009	return error;
1010	}
1011
1012	#ifdef INET6
1013	static int
1014	ipsec6_setspidx_in6pcb(struct mbuf m, struct* in6pcb *pcb)
1015	{
1016	struct secpolicyindex *spidx;
1017	int error;
1018
1019	IPSEC_ASSERT(pcb != NULL, ("%s: null pcb", __func__));
1020	IPSEC_ASSERT(pcb->in6p_sp != NULL, ("%s: null inp_sp", __func__));
1021	IPSEC_ASSERT(pcb->in6p_sp->sp_out != NULL &&
1022	pcb->in6p_sp->sp_in != NULL, ("%s: null sp_in \|\| sp_out",
1023	__func__));
1024
1025	memset(&pcb->in6p_sp->sp_in->spidx, `0`, sizeof(*spidx));
1026	memset(&pcb->in6p_sp->sp_out->spidx, `0`, sizeof(*spidx));
1027
1028	spidx = &pcb->in6p_sp->sp_in->spidx;
1029	error = ipsec_setspidx(m, spidx, `1`);
1030	if (error)
1031	goto bad;
1032	spidx->dir = IPSEC_DIR_INBOUND;
1033
1034	spidx = &pcb->in6p_sp->sp_out->spidx;
1035	error = ipsec_setspidx(m, spidx, `1`);
1036	if (error)
1037	goto bad;
1038	spidx->dir = IPSEC_DIR_OUTBOUND;
1039
1040	return `0`;
1041
1042	bad:
1043	memset(&pcb->in6p_sp->sp_in->spidx, `0`, sizeof(*spidx));
1044	memset(&pcb->in6p_sp->sp_out->spidx, `0`, sizeof(*spidx));
1045	return error;
1046	}
1047	#endif
1048
1049	/*
1050	* configure security policy index (src/dst/proto/sport/dport)
1051	* by looking at the content of mbuf.
1052	* the caller is responsible for error recovery (like clearing up spidx).
1053	*/
1054	static int
1055	ipsec_setspidx(struct mbuf m, struct* secpolicyindex spidx, int* needport)
1056	{
1057	struct ip *ip = NULL;
1058	struct ip ipbuf;
1059	u_int v;
1060	struct mbuf *n;
1061	int len;
1062	int error;
1063
1064	IPSEC_ASSERT(m != NULL, ("%s: null mbuf", __func__));
1065
1066	/*
1067	* validate m->m_pkthdr.len. we see incorrect length if we
1068	* mistakenly call this function with inconsistent mbuf chain
1069	* (like 4.4BSD tcp/udp processing). XXX should we panic here?
1070	*/
1071	len = `0`;
1072	for (n = m; n; n = n->m_next)
1073	len += n->m_len;
1074	if (m->m_pkthdr.len != len) {
1075	KEYDEBUG(KEYDEBUG_IPSEC_DUMP, printf("%s: total of m_len(%d) "
1076	"!= pkthdr.len(%d), ignored.\n", __func__, len,
1077	m->m_pkthdr.len));
1078	return EINVAL;
1079	}
1080
1081	if (m->m_pkthdr.len < sizeof(struct ip)) {
1082	KEYDEBUG(KEYDEBUG_IPSEC_DUMP, printf("%s: pkthdr.len(%d) < "
1083	"sizeof(struct ip), ignored.\n", __func__,
1084	m->m_pkthdr.len));
1085	return EINVAL;
1086	}
1087
1088	if (m->m_len >= sizeof(*ip))
1089	ip = mtod(m, struct ip *);
1090	else {
1091	m_copydata(m, `0`, sizeof(ipbuf), &ipbuf);
1092	ip = &ipbuf;
1093	}
1094	v = ip->ip_v;
1095	switch (v) {
1096	case `4`:
1097	error = ipsec4_setspidx_ipaddr(m, spidx);
1098	if (error)
1099	return error;
1100	ipsec4_get_ulp(m, spidx, needport);
1101	return `0`;
1102	#ifdef INET6
1103	case `6`:
1104	if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
1105	KEYDEBUG(KEYDEBUG_IPSEC_DUMP, printf("%s: "
1106	"pkthdr.len(%d) < sizeof(struct ip6_hdr), "
1107	"ignored.\n", __func__, m->m_pkthdr.len));
1108	return EINVAL;
1109	}
1110	error = ipsec6_setspidx_ipaddr(m, spidx);
1111	if (error)
1112	return error;
1113	ipsec6_get_ulp(m, spidx, needport);
1114	return `0`;
1115	#endif
1116	default:
1117	KEYDEBUG(KEYDEBUG_IPSEC_DUMP, printf("%s: unknown IP version "
1118	"%u, ignored.\n", __func__, v));
1119	return EINVAL;
1120	}
1121	}
1122
1123	static void
1124	ipsec4_get_ulp(struct mbuf m, struct* secpolicyindex spidx, int* needport)
1125	{
1126	u_int8_t nxt;
1127	int off;
1128
1129	/ sanity check /
1130	IPSEC_ASSERT(m != NULL, ("%s: null mbuf", __func__));
1131	IPSEC_ASSERT(m->m_pkthdr.len >= sizeof(struct ip),
1132	("%s: packet too short", __func__));
1133
1134	/ NB: ip_input() flips it into host endian XXX need more checking /
1135	if (m->m_len >= sizeof(struct ip)) {
1136	struct ip ip = mtod(m, struct* ip *);
1137	if (ip->ip_off & IP_OFF_CONVERT(IP_MF \| IP_OFFMASK))
1138	goto done;
1139	off = ip->ip_hl << `2`;
1140	nxt = ip->ip_p;
1141	} else {
1142	struct ip ih;
1143
1144	m_copydata(m, `0`, sizeof (struct ip), &ih);
1145	if (ih.ip_off & IP_OFF_CONVERT(IP_MF \| IP_OFFMASK))
1146	goto done;
1147	off = ih.ip_hl << `2`;
1148	nxt = ih.ip_p;
1149	}
1150
1151	while (off < m->m_pkthdr.len) {
1152	struct ip6_ext ip6e;
1153	struct tcphdr th;
1154	struct udphdr uh;
1155	struct icmp icmph;
1156
1157	switch (nxt) {
1158	case IPPROTO_TCP:
1159	spidx->ul_proto = nxt;
1160	if (!needport)
1161	goto done_proto;
1162	if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
1163	goto done;
1164	m_copydata(m, off, sizeof (th), &th);
1165	spidx->src.sin.sin_port = th.th_sport;
1166	spidx->dst.sin.sin_port = th.th_dport;
1167	return;
1168	case IPPROTO_UDP:
1169	spidx->ul_proto = nxt;
1170	if (!needport)
1171	goto done_proto;
1172	if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1173	goto done;
1174	m_copydata(m, off, sizeof (uh), &uh);
1175	spidx->src.sin.sin_port = uh.uh_sport;
1176	spidx->dst.sin.sin_port = uh.uh_dport;
1177	return;
1178	case IPPROTO_AH:
1179	if (m->m_pkthdr.len > off + sizeof(ip6e))
1180	goto done;
1181	/ XXX sigh, this works but is totally bogus /
1182	m_copydata(m, off, sizeof(ip6e), &ip6e);
1183	off += (ip6e.ip6e_len + `2`) << `2`;
1184	nxt = ip6e.ip6e_nxt;
1185	break;
1186	case IPPROTO_ICMP:
1187	spidx->ul_proto = nxt;
1188	if (off + sizeof(struct icmp) > m->m_pkthdr.len)
1189	return;
1190	m_copydata(m, off, sizeof(icmph), &icmph);
1191	((struct sockaddr_in *)&spidx->src)->sin_port =
1192	htons((uint16_t)icmph.icmp_type);
1193	((struct sockaddr_in *)&spidx->dst)->sin_port =
1194	htons((uint16_t)icmph.icmp_code);
1195	return;
1196	default:
1197	/ XXX intermediate headers??? /
1198	spidx->ul_proto = nxt;
1199	goto done_proto;
1200	}
1201	}
1202	done:
1203	spidx->ul_proto = IPSEC_ULPROTO_ANY;
1204	done_proto:
1205	spidx->src.sin.sin_port = IPSEC_PORT_ANY;
1206	spidx->dst.sin.sin_port = IPSEC_PORT_ANY;
1207	}
1208
1209	/ assumes that m is sane /
1210	static int
1211	ipsec4_setspidx_ipaddr(struct mbuf m, struct* secpolicyindex *spidx)
1212	{
1213	static const struct sockaddr_in template = {
1214	sizeof (struct sockaddr_in),
1215	AF_INET,
1216	`0`, { `0` }, { `0`, `0`, `0`, `0`, `0`, `0`, `0`, `0` }
1217	};
1218
1219	spidx->src.sin = template;
1220	spidx->dst.sin = template;
1221
1222	if (m->m_len < sizeof (struct ip)) {
1223	m_copydata(m, offsetof(struct ip, ip_src),
1224	sizeof (struct in_addr),
1225	&spidx->src.sin.sin_addr);
1226	m_copydata(m, offsetof(struct ip, ip_dst),
1227	sizeof (struct in_addr),
1228	&spidx->dst.sin.sin_addr);
1229	} else {
1230	struct ip ip = mtod(m, struct* ip *);
1231	spidx->src.sin.sin_addr = ip->ip_src;
1232	spidx->dst.sin.sin_addr = ip->ip_dst;
1233	}
1234
1235	spidx->prefs = sizeof(struct in_addr) << `3`;
1236	spidx->prefd = sizeof(struct in_addr) << `3`;
1237
1238	return `0`;
1239	}
1240
1241	#ifdef INET6
1242	static void
1243	ipsec6_get_ulp(struct mbuf m, struct* secpolicyindex *spidx,
1244	int needport)
1245	{
1246	int off, nxt;
1247	struct tcphdr th;
1248	struct udphdr uh;
1249	struct icmp6_hdr icmph;
1250
1251	/ sanity check /
1252	if (m == NULL)
1253	panic("%s: NULL pointer was passed", __func__);
1254
1255	KEYDEBUG(KEYDEBUG_IPSEC_DUMP, printf("%s:\n", __func__);
1256	kdebug_mbuf(m));
1257
1258	/ set default /
1259	spidx->ul_proto = IPSEC_ULPROTO_ANY;
1260	((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
1261	((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
1262
1263	nxt = -`1`;
1264	off = ip6_lasthdr(m, `0`, IPPROTO_IPV6, &nxt);
1265	if (off < `0` \|\| m->m_pkthdr.len < off)
1266	return;
1267
1268	switch (nxt) {
1269	case IPPROTO_TCP:
1270	spidx->ul_proto = nxt;
1271	if (!needport)
1272	break;
1273	if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
1274	break;
1275	m_copydata(m, off, sizeof(th), &th);
1276	((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
1277	((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
1278	break;
1279	case IPPROTO_UDP:
1280	spidx->ul_proto = nxt;
1281	if (!needport)
1282	break;
1283	if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1284	break;
1285	m_copydata(m, off, sizeof(uh), &uh);
1286	((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
1287	((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
1288	break;
1289	case IPPROTO_ICMPV6:
1290	spidx->ul_proto = nxt;
1291	if (off + sizeof(struct icmp6_hdr) > m->m_pkthdr.len)
1292	break;
1293	m_copydata(m, off, sizeof(icmph), &icmph);
1294	((struct sockaddr_in6 *)&spidx->src)->sin6_port =
1295	htons((uint16_t)icmph.icmp6_type);
1296	((struct sockaddr_in6 *)&spidx->dst)->sin6_port =
1297	htons((uint16_t)icmph.icmp6_code);
1298	break;
1299	default:
1300	/ XXX intermediate headers??? /
1301	spidx->ul_proto = nxt;
1302	break;
1303	}
1304	}
1305
1306	/ assumes that m is sane /
1307	static int
1308	ipsec6_setspidx_ipaddr(struct mbuf m, struct* secpolicyindex *spidx)
1309	{
1310	struct ip6_hdr *ip6 = NULL;
1311	struct ip6_hdr ip6buf;
1312	struct sockaddr_in6 *sin6;
1313
1314	if (m->m_len >= sizeof(*ip6))
1315	ip6 = mtod(m, struct ip6_hdr *);
1316	else {
1317	m_copydata(m, `0`, sizeof(ip6buf), &ip6buf);
1318	ip6 = &ip6buf;
1319	}
1320
1321	sin6 = (struct sockaddr_in6 *)&spidx->src;
1322	memset(sin6, `0`, sizeof(*sin6));
1323	sin6->sin6_family = AF_INET6;
1324	sin6->sin6_len = sizeof(struct sockaddr_in6);
1325	memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src));
1326	if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
1327	sin6->sin6_addr.s6_addr16[`1`] = `0`;
1328	sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[`1`]);
1329	}
1330	spidx->prefs = sizeof(struct in6_addr) << `3`;
1331
1332	sin6 = (struct sockaddr_in6 *)&spidx->dst;
1333	memset(sin6, `0`, sizeof(*sin6));
1334	sin6->sin6_family = AF_INET6;
1335	sin6->sin6_len = sizeof(struct sockaddr_in6);
1336	memcpy(&sin6->sin6_addr, &ip6->ip6_dst, sizeof(ip6->ip6_dst));
1337	if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
1338	sin6->sin6_addr.s6_addr16[`1`] = `0`;
1339	sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[`1`]);
1340	}
1341	spidx->prefd = sizeof(struct in6_addr) << `3`;
1342
1343	return `0`;
1344	}
1345	#endif
1346
1347	static void
1348	ipsec_delpcbpolicy(struct inpcbpolicy *p)
1349	{
1350	free(p, M_SECA);
1351	}
1352
1353	/ initialize policy in PCB /
1354	int
1355	ipsec_init_policy(struct socket so, struct* inpcbpolicy **policy)
1356	{
1357	struct inpcbpolicy *new;
1358
1359	/ sanity check. /
1360	if (so == NULL \|\| policy == NULL)
1361	panic("%s: NULL pointer was passed", __func__);
1362
1363	new = malloc(sizeof(*new), M_SECA, M_NOWAIT\|M_ZERO);
1364	if (new == NULL) {
1365	ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
1366	return ENOBUFS;
1367	}
1368
1369	if (IPSEC_PRIVILEGED_SO(so))
1370	new->priv = `1`;
1371	else
1372	new->priv = `0`;
1373
1374	if ((new->sp_in = KEY_NEWSP()) == NULL) {
1375	ipsec_delpcbpolicy(new);
1376	return ENOBUFS;
1377	}
1378	new->sp_in->state = IPSEC_SPSTATE_ALIVE;
1379	new->sp_in->policy = IPSEC_POLICY_ENTRUST;
1380
1381	if ((new->sp_out = KEY_NEWSP()) == NULL) {
1382	KEY_FREESP(&new->sp_in);
1383	ipsec_delpcbpolicy(new);
1384	return ENOBUFS;
1385	}
1386	new->sp_out->state = IPSEC_SPSTATE_ALIVE;
1387	new->sp_out->policy = IPSEC_POLICY_ENTRUST;
1388
1389	*policy = new;
1390
1391	return `0`;
1392	}
1393
1394	/ copy old ipsec policy into new /
1395	int
1396	ipsec_copy_policy(const struct inpcbpolicy old, struct* inpcbpolicy *new)
1397	{
1398	struct secpolicy *sp;
1399
1400	sp = ipsec_deepcopy_policy(old->sp_in);
1401	if (sp) {
1402	KEY_FREESP(&new->sp_in);
1403	new->sp_in = sp;
1404	} else
1405	return ENOBUFS;
1406
1407	sp = ipsec_deepcopy_policy(old->sp_out);
1408	if (sp) {
1409	KEY_FREESP(&new->sp_out);
1410	new->sp_out = sp;
1411	} else
1412	return ENOBUFS;
1413
1414	new->priv = old->priv;
1415
1416	return `0`;
1417	}
1418
1419	/ deep-copy a policy in PCB /
1420	static struct secpolicy *
1421	ipsec_deepcopy_policy(const struct secpolicy *src)
1422	{
1423	struct ipsecrequest *newchain = NULL;
1424	const struct ipsecrequest *p;
1425	struct ipsecrequest **q;
1426	struct ipsecrequest *r;
1427	struct secpolicy *dst;
1428
1429	if (src == NULL)
1430	return NULL;
1431	dst = KEY_NEWSP();
1432	if (dst == NULL)
1433	return NULL;
1434
1435	/*
1436	* deep-copy IPsec request chain. This is required since struct
1437	* ipsecrequest is not reference counted.
1438	*/
1439	q = &newchain;
1440	for (p = src->req; p; p = p->next) {
1441	q = malloc(sizeof(*q), M_SECA, M_NOWAIT\|M_ZERO);
1442	if (*q == NULL)
1443	goto fail;
1444	(*q)->next = NULL;
1445
1446	(*q)->saidx.proto = p->saidx.proto;
1447	(*q)->saidx.mode = p->saidx.mode;
1448	(*q)->level = p->level;
1449	(*q)->saidx.reqid = p->saidx.reqid;
1450
1451	memcpy(&(q)->saidx.src, &p->saidx.src, sizeof((q)->saidx.src));
1452	memcpy(&(q)->saidx.dst, &p->saidx.dst, sizeof((q)->saidx.dst));
1453
1454	(*q)->sav = NULL;
1455	(*q)->sp = dst;
1456
1457	q = &((*q)->next);
1458	}
1459
1460	dst->req = newchain;
1461	dst->state = src->state;
1462	dst->policy = src->policy;
1463	/ do not touch the refcnt fields /
1464
1465	return dst;
1466
1467	fail:
1468	for (q = &newchain; *q; q = &r) {
1469	r = (*q)->next;
1470	free(*q, M_SECA);
1471	}
1472	return NULL;
1473	}
1474
1475	/ set policy and ipsec request if present. /
1476	static int
1477	ipsec_set_policy(
1478	struct secpolicy **policy,
1479	int optname,
1480	const void *request,
1481	size_t len,
1482	kauth_cred_t cred
1483	)
1484	{
1485	const struct sadb_x_policy *xpl;
1486	struct secpolicy *newsp = NULL;
1487	int error;
1488
1489	/ sanity check. /
1490	if (policy == NULL \|\| *policy == NULL \|\| request == NULL)
1491	return EINVAL;
1492	if (len < sizeof(*xpl))
1493	return EINVAL;
1494	xpl = (const struct sadb_x_policy *)request;
1495
1496	KEYDEBUG(KEYDEBUG_IPSEC_DUMP, printf("%s: passed policy\n", __func__);
1497	kdebug_sadb_x_policy((const struct sadb_ext *)xpl));
1498
1499	/ check policy type /
1500	/ ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. /
1501	if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD
1502	\|\| xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
1503	return EINVAL;
1504
1505	/ check privileged socket /
1506	if (xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS) {
1507	error = kauth_authorize_network(cred, KAUTH_NETWORK_IPSEC,
1508	KAUTH_REQ_NETWORK_IPSEC_BYPASS, NULL, NULL, NULL);
1509	if (error)
1510	return (error);
1511	}
1512
1513	/ allocation new SP entry /
1514	if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
1515	return error;
1516
1517	newsp->state = IPSEC_SPSTATE_ALIVE;
1518
1519	/ clear old SP and set new SP /
1520	KEY_FREESP(policy);
1521	*policy = newsp;
1522	KEYDEBUG(KEYDEBUG_IPSEC_DUMP, printf("%s: new policy\n", __func__);
1523	kdebug_secpolicy(newsp));
1524
1525	return `0`;
1526	}
1527
1528	static int
1529	ipsec_get_policy(struct secpolicy policy, struct* mbuf **mp)
1530	{
1531
1532	/ sanity check. /
1533	if (policy == NULL \|\| mp == NULL)
1534	return EINVAL;
1535
1536	*mp = key_sp2msg(policy);
1537	if (!*mp) {
1538	ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
1539	return ENOBUFS;
1540	}
1541
1542	(*mp)->m_type = MT_DATA;
1543	KEYDEBUG(KEYDEBUG_IPSEC_DUMP, printf("%s:\n", __func__);
1544	kdebug_mbuf(*mp));
1545
1546	return `0`;
1547	}
1548
1549	int
1550	ipsec4_set_policy(struct inpcb inp, int* optname, const void *request,
1551	size_t len, kauth_cred_t cred)
1552	{
1553	const struct sadb_x_policy *xpl;
1554	struct secpolicy **policy;
1555
1556	/ sanity check. /
1557	if (inp == NULL \|\| request == NULL)
1558	return EINVAL;
1559	if (len < sizeof(*xpl))
1560	return EINVAL;
1561	xpl = (const struct sadb_x_policy *)request;
1562
1563	IPSEC_ASSERT(inp->inp_sp != NULL, ("%s: null inp->in_sp", __func__));
1564
1565	/ select direction /
1566	switch (xpl->sadb_x_policy_dir) {
1567	case IPSEC_DIR_INBOUND:
1568	policy = &inp->inp_sp->sp_in;
1569	break;
1570	case IPSEC_DIR_OUTBOUND:
1571	policy = &inp->inp_sp->sp_out;
1572	break;
1573	default:
1574	ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__,
1575	xpl->sadb_x_policy_dir));
1576	return EINVAL;
1577	}
1578
1579	return ipsec_set_policy(policy, optname, request, len, cred);
1580	}
1581
1582	int
1583	ipsec4_get_policy(struct inpcb inp, const* void *request, size_t len,
1584	struct mbuf **mp)
1585	{
1586	const struct sadb_x_policy *xpl;
1587	struct secpolicy *policy;
1588
1589	/ sanity check. /
1590	if (inp == NULL \|\| request == NULL \|\| mp == NULL)
1591	return EINVAL;
1592	IPSEC_ASSERT(inp->inp_sp != NULL, ("%s: null inp_sp", __func__));
1593	if (len < sizeof(*xpl))
1594	return EINVAL;
1595	xpl = (const struct sadb_x_policy *)request;
1596
1597	/ select direction /
1598	switch (xpl->sadb_x_policy_dir) {
1599	case IPSEC_DIR_INBOUND:
1600	policy = inp->inp_sp->sp_in;
1601	break;
1602	case IPSEC_DIR_OUTBOUND:
1603	policy = inp->inp_sp->sp_out;
1604	break;
1605	default:
1606	ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__,
1607	xpl->sadb_x_policy_dir));
1608	return EINVAL;
1609	}
1610
1611	return ipsec_get_policy(policy, mp);
1612	}
1613
1614	/ delete policy in PCB /
1615	int
1616	ipsec4_delete_pcbpolicy(struct inpcb *inp)
1617	{
1618	IPSEC_ASSERT(inp != NULL, ("%s: null inp", __func__));
1619
1620	if (inp->inp_sp == NULL)
1621	return `0`;
1622
1623	if (inp->inp_sp->sp_in != NULL)
1624	KEY_FREESP(&inp->inp_sp->sp_in);
1625
1626	if (inp->inp_sp->sp_out != NULL)
1627	KEY_FREESP(&inp->inp_sp->sp_out);
1628
1629	#ifdef __NetBSD__
1630	ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY);
1631	#endif
1632
1633	ipsec_delpcbpolicy(inp->inp_sp);
1634	inp->inp_sp = NULL;
1635
1636	return `0`;
1637	}
1638
1639	#ifdef INET6
1640	int
1641	ipsec6_set_policy(struct in6pcb in6p, int* optname, const void *request,
1642	size_t len, kauth_cred_t cred)
1643	{
1644	const struct sadb_x_policy *xpl;
1645	struct secpolicy **policy;
1646
1647	/ sanity check. /
1648	if (in6p == NULL \|\| request == NULL)
1649	return EINVAL;
1650	if (len < sizeof(*xpl))
1651	return EINVAL;
1652	xpl = (const struct sadb_x_policy *)request;
1653
1654	/ select direction /
1655	switch (xpl->sadb_x_policy_dir) {
1656	case IPSEC_DIR_INBOUND:
1657	policy = &in6p->in6p_sp->sp_in;
1658	break;
1659	case IPSEC_DIR_OUTBOUND:
1660	policy = &in6p->in6p_sp->sp_out;
1661	break;
1662	default:
1663	ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__,
1664	xpl->sadb_x_policy_dir));
1665	return EINVAL;
1666	}
1667
1668	return ipsec_set_policy(policy, optname, request, len, cred);
1669	}
1670
1671	int
1672	ipsec6_get_policy(struct in6pcb in6p, const* void *request, size_t len,
1673	struct mbuf **mp)
1674	{
1675	const struct sadb_x_policy *xpl;
1676	struct secpolicy *policy;
1677
1678	/ sanity check. /
1679	if (in6p == NULL \|\| request == NULL \|\| mp == NULL)
1680	return EINVAL;
1681	IPSEC_ASSERT(in6p->in6p_sp != NULL, ("%s: null in6p_sp", __func__));
1682	if (len < sizeof(*xpl))
1683	return EINVAL;
1684	xpl = (const struct sadb_x_policy *)request;
1685
1686	/ select direction /
1687	switch (xpl->sadb_x_policy_dir) {
1688	case IPSEC_DIR_INBOUND:
1689	policy = in6p->in6p_sp->sp_in;
1690	break;
1691	case IPSEC_DIR_OUTBOUND:
1692	policy = in6p->in6p_sp->sp_out;
1693	break;
1694	default:
1695	ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__,
1696	xpl->sadb_x_policy_dir));
1697	return EINVAL;
1698	}
1699
1700	return ipsec_get_policy(policy, mp);
1701	}
1702
1703	int
1704	ipsec6_delete_pcbpolicy(struct in6pcb *in6p)
1705	{
1706	IPSEC_ASSERT(in6p != NULL, ("%s: null in6p", __func__));
1707
1708	if (in6p->in6p_sp == NULL)
1709	return `0`;
1710
1711	if (in6p->in6p_sp->sp_in != NULL)
1712	KEY_FREESP(&in6p->in6p_sp->sp_in);
1713
1714	if (in6p->in6p_sp->sp_out != NULL)
1715	KEY_FREESP(&in6p->in6p_sp->sp_out);
1716
1717	#ifdef __NetBSD
1718	ipsec_invalpcbcache(in6p->in6p_sp, IPSEC_DIR_ANY);
1719	#endif
1720
1721	ipsec_delpcbpolicy(in6p->in6p_sp);
1722	in6p->in6p_sp = NULL;
1723
1724	return `0`;
1725	}
1726	#endif
1727
1728	/*
1729	* return current level.
1730	* Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1731	*/
1732	u_int
1733	ipsec_get_reqlevel(const struct ipsecrequest *isr)
1734	{
1735	u_int level = `0`;
1736	u_int esp_trans_deflev, esp_net_deflev;
1737	u_int ah_trans_deflev, ah_net_deflev;
1738
1739	IPSEC_ASSERT(isr != NULL && isr->sp != NULL, ("%s: null argument",
1740	__func__));
1741	IPSEC_ASSERT(isr->sp->spidx.src.sa.sa_family ==
1742	isr->sp->spidx.dst.sa.sa_family,
1743	("%s: af family mismatch, src %u, dst %u", __func__,
1744	isr->sp->spidx.src.sa.sa_family, isr->sp->spidx.dst.sa.sa_family));
1745
1746	/ XXX note that we have ipseclog() expanded here - code sync issue /
1747	#define IPSEC_CHECK_DEFAULT(lev) \
1748	(((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \
1749	&& (lev) != IPSEC_LEVEL_UNIQUE) ? \
1750	(ipsec_debug ? log(LOG_INFO, "fixed system default level " #lev \
1751	":%d->%d\n", (lev), IPSEC_LEVEL_REQUIRE) : (void)0), \
1752	(lev) = IPSEC_LEVEL_REQUIRE, (lev) \
1753	: (lev))
1754
1755	/ set default level /
1756	switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) {
1757	#ifdef INET
1758	case AF_INET:
1759	esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev);
1760	esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev);
1761	ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev);
1762	ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev);
1763	break;
1764	#endif
1765	#ifdef INET6
1766	case AF_INET6:
1767	esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev);
1768	esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev);
1769	ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev);
1770	ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev);
1771	break;
1772	#endif /* INET6 */
1773	default:
1774	panic("%s: unknown af %u", __func__,
1775	isr->sp->spidx.src.sa.sa_family);
1776	}
1777
1778	#undef IPSEC_CHECK_DEFAULT
1779
1780	/ set level /
1781	switch (isr->level) {
1782	case IPSEC_LEVEL_DEFAULT:
1783	switch (isr->saidx.proto) {
1784	case IPPROTO_ESP:
1785	if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1786	level = esp_net_deflev;
1787	else
1788	level = esp_trans_deflev;
1789	break;
1790	case IPPROTO_AH:
1791	if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1792	level = ah_net_deflev;
1793	else
1794	level = ah_trans_deflev;
1795	break;
1796	case IPPROTO_IPCOMP:
1797	/*
1798	* we don't really care, as IPcomp document says that
1799	* we shouldn't compress small packets
1800	*/
1801	level = IPSEC_LEVEL_USE;
1802	break;
1803	default:
1804	panic("%s: Illegal protocol defined %u", __func__,
1805	isr->saidx.proto);
1806	}
1807	break;
1808
1809	case IPSEC_LEVEL_USE:
1810	case IPSEC_LEVEL_REQUIRE:
1811	level = isr->level;
1812	break;
1813	case IPSEC_LEVEL_UNIQUE:
1814	level = IPSEC_LEVEL_REQUIRE;
1815	break;
1816
1817	default:
1818	panic("%s: Illegal IPsec level %u", __func__, isr->level);
1819	}
1820
1821	return level;
1822	}
1823
1824	/*
1825	* Check security policy requirements against the actual
1826	* packet contents. Return one if the packet should be
1827	* reject as "invalid"; otherwiser return zero to have the
1828	* packet treated as "valid".
1829	*
1830	* OUT:
1831	* 0: valid
1832	* 1: invalid
1833	*/
1834	int
1835	ipsec_in_reject(const struct secpolicy sp, const* struct mbuf *m)
1836	{
1837	struct ipsecrequest *isr;
1838	int need_auth;
1839
1840	KEYDEBUG(KEYDEBUG_IPSEC_DATA, printf("%s: using SP\n", __func__);
1841	kdebug_secpolicy(sp));
1842
1843	/ check policy /
1844	switch (sp->policy) {
1845	case IPSEC_POLICY_DISCARD:
1846	return `1`;
1847	case IPSEC_POLICY_BYPASS:
1848	case IPSEC_POLICY_NONE:
1849	return `0`;
1850	}
1851
1852	IPSEC_ASSERT(sp->policy == IPSEC_POLICY_IPSEC,
1853	("%s: invalid policy %u", __func__, sp->policy));
1854
1855	/ XXX should compare policy against ipsec header history /
1856
1857	need_auth = `0`;
1858	for (isr = sp->req; isr != NULL; isr = isr->next) {
1859	if (ipsec_get_reqlevel(isr) != IPSEC_LEVEL_REQUIRE)
1860	continue;
1861	switch (isr->saidx.proto) {
1862	case IPPROTO_ESP:
1863	if ((m->m_flags & M_DECRYPTED) == `0`) {
1864	KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1865	printf("%s: ESP m_flags:%x\n", __func__,
1866	m->m_flags));
1867	return `1`;
1868	}
1869
1870	if (!need_auth &&
1871	isr->sav != NULL &&
1872	isr->sav->tdb_authalgxform != NULL &&
1873	(m->m_flags & M_AUTHIPDGM) == `0`) {
1874	KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1875	printf("%s: ESP/AH m_flags:%x\n", __func__,
1876	m->m_flags));
1877	return `1`;
1878	}
1879	break;
1880	case IPPROTO_AH:
1881	need_auth = `1`;
1882	if ((m->m_flags & M_AUTHIPHDR) == `0`) {
1883	KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1884	printf("%s: AH m_flags:%x\n", __func__,
1885	m->m_flags));
1886	return `1`;
1887	}
1888	break;
1889	case IPPROTO_IPCOMP:
1890	/*
1891	* we don't really care, as IPcomp document
1892	* says that we shouldn't compress small
1893	* packets, IPComp policy should always be
1894	* treated as being in "use" level.
1895	*/
1896	break;
1897	}
1898	}
1899	return `0`; / valid /
1900	}
1901
1902	/*
1903	* Check AH/ESP integrity.
1904	* This function is called from tcp_input(), udp_input(),
1905	* and {ah,esp}4_input for tunnel mode
1906	*/
1907	int
1908	ipsec4_in_reject(struct mbuf m, struct* inpcb *inp)
1909	{
1910	struct secpolicy *sp;
1911	int error;
1912	int result;
1913
1914	IPSEC_ASSERT(m != NULL, ("%s: null mbuf", __func__));
1915
1916	/ get SP for this packet.*
1917	* When we are called from ip_forward(), we call
1918	* ipsec_getpolicybyaddr() with IP_FORWARDING flag.
1919	*/
1920	if (inp == NULL)
1921	sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1922	else
1923	sp = ipsec_getpolicybysock(m, IPSEC_DIR_INBOUND,
1924	IN4PCB_TO_PCB(inp), &error);
1925
1926	if (sp != NULL) {
1927	result = ipsec_in_reject(sp, m);
1928	if (result)
1929	IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
1930	KEY_FREESP(&sp);
1931	} else {
1932	result = `0`; / XXX should be panic ?*
1933	* -> No, there may be error. */
1934	}
1935	return result;
1936	}
1937
1938
1939	#ifdef INET6
1940	/*
1941	* Check AH/ESP integrity.
1942	* This function is called from tcp6_input(), udp6_input(),
1943	* and {ah,esp}6_input for tunnel mode
1944	*/
1945	int
1946	ipsec6_in_reject(struct mbuf m, struct* in6pcb *in6p)
1947	{
1948	struct secpolicy *sp = NULL;
1949	int error;
1950	int result;
1951
1952	/ sanity check /
1953	if (m == NULL)
1954	return `0`; / XXX should be panic ? /
1955
1956	/ get SP for this packet.*
1957	* When we are called from ip_forward(), we call
1958	* ipsec_getpolicybyaddr() with IP_FORWARDING flag.
1959	*/
1960	if (in6p == NULL)
1961	sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1962	else
1963	sp = ipsec_getpolicybysock(m, IPSEC_DIR_INBOUND,
1964	IN6PCB_TO_PCB(in6p),
1965	&error);
1966
1967	if (sp != NULL) {
1968	result = ipsec_in_reject(sp, m);
1969	if (result)
1970	IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
1971	KEY_FREESP(&sp);
1972	} else {
1973	result = `0`;
1974	}
1975	return result;
1976	}
1977	#endif
1978
1979	/*
1980	* compute the byte size to be occupied by IPsec header.
1981	* in case it is tunneled, it includes the size of outer IP header.
1982	* NOTE: SP passed is free in this function.
1983	*/
1984	static size_t
1985	ipsec_hdrsiz(const struct secpolicy *sp)
1986	{
1987	const struct ipsecrequest *isr;
1988	size_t siz;
1989
1990	KEYDEBUG(KEYDEBUG_IPSEC_DATA, printf("%s: using SP\n", __func__);
1991	kdebug_secpolicy(sp));
1992
1993	switch (sp->policy) {
1994	case IPSEC_POLICY_DISCARD:
1995	case IPSEC_POLICY_BYPASS:
1996	case IPSEC_POLICY_NONE:
1997	return `0`;
1998	}
1999
2000	IPSEC_ASSERT(sp->policy == IPSEC_POLICY_IPSEC,
2001	("%s: invalid policy %u", __func__, sp->policy));
2002
2003	siz = `0`;
2004	for (isr = sp->req; isr != NULL; isr = isr->next) {
2005	size_t clen = `0`;
2006
2007	switch (isr->saidx.proto) {
2008	case IPPROTO_ESP:
2009	clen = esp_hdrsiz(isr->sav);
2010	break;
2011	case IPPROTO_AH:
2012	clen = ah_hdrsiz(isr->sav);
2013	break;
2014	case IPPROTO_IPCOMP:
2015	clen = sizeof(struct ipcomp);
2016	break;
2017	}
2018
2019	if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2020	switch (isr->saidx.dst.sa.sa_family) {
2021	case AF_INET:
2022	clen += sizeof(struct ip);
2023	break;
2024	#ifdef INET6
2025	case AF_INET6:
2026	clen += sizeof(struct ip6_hdr);
2027	break;
2028	#endif
2029	default:
2030	ipseclog((LOG_ERR, "%s: unknown AF %d in "
2031	"IPsec tunnel SA\n", __func__,
2032	((const struct sockaddr *)&isr->saidx.dst)
2033	->sa_family));
2034	break;
2035	}
2036	}
2037	siz += clen;
2038	}
2039
2040	return siz;
2041	}
2042
2043	/ This function is called from ip_forward() and ipsec4_hdrsize_tcp(). /
2044	size_t
2045	ipsec4_hdrsiz(struct mbuf m, u_int dir, struct* inpcb *inp)
2046	{
2047	struct secpolicy *sp;
2048	int error;
2049	size_t size;
2050
2051	IPSEC_ASSERT(m != NULL, ("%s: null mbuf", __func__));
2052	IPSEC_ASSERT(inp == NULL \|\| inp->inp_socket != NULL,
2053	("%s: socket w/o inpcb", __func__));
2054
2055	/ get SP for this packet.*
2056	* When we are called from ip_forward(), we call
2057	* ipsec_getpolicybyaddr() with IP_FORWARDING flag.
2058	*/
2059	if (inp == NULL)
2060	sp = ipsec_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
2061	else
2062	sp = ipsec_getpolicybysock(m, dir,
2063	IN4PCB_TO_PCB(inp), &error);
2064
2065	if (sp != NULL) {
2066	size = ipsec_hdrsiz(sp);
2067	KEYDEBUG(KEYDEBUG_IPSEC_DATA, printf("%s: size:%lu.\n",
2068	__func__, (unsigned long)size));
2069
2070	KEY_FREESP(&sp);
2071	} else {
2072	size = `0`; / XXX should be panic ? /
2073	}
2074	return size;
2075	}
2076
2077	#ifdef INET6
2078	/ This function is called from ipsec6_hdrsize_tcp(),*
2079	* and maybe from ip6_forward.()
2080	*/
2081	size_t
2082	ipsec6_hdrsiz(struct mbuf m, u_int dir, struct* in6pcb *in6p)
2083	{
2084	struct secpolicy *sp;
2085	int error;
2086	size_t size;
2087
2088	IPSEC_ASSERT(m != NULL, ("%s: null mbuf", __func__));
2089	IPSEC_ASSERT(in6p == NULL \|\| in6p->in6p_socket != NULL,
2090	("%s: socket w/o inpcb", __func__));
2091
2092	/ get SP for this packet /
2093	/ XXX Is it right to call with IP_FORWARDING. /
2094	if (in6p == NULL)
2095	sp = ipsec_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
2096	else
2097	sp = ipsec_getpolicybysock(m, dir,
2098	IN6PCB_TO_PCB(in6p),
2099	&error);
2100
2101	if (sp == NULL)
2102	return `0`;
2103	size = ipsec_hdrsiz(sp);
2104	KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2105	printf("%s: size:%zu.\n", __func__, size));
2106	KEY_FREESP(&sp);
2107
2108	return size;
2109	}
2110	#endif /INET6/
2111
2112	/*
2113	* Check the variable replay window.
2114	* ipsec_chkreplay() performs replay check before ICV verification.
2115	* ipsec_updatereplay() updates replay bitmap. This must be called after
2116	* ICV verification (it also performs replay check, which is usually done
2117	* beforehand).
2118	* 0 (zero) is returned if packet disallowed, 1 if packet permitted.
2119	*
2120	* based on RFC 2401.
2121	*/
2122	int
2123	ipsec_chkreplay(u_int32_t seq, const struct secasvar *sav)
2124	{
2125	const struct secreplay *replay;
2126	u_int32_t diff;
2127	int fr;
2128	u_int32_t wsizeb; / constant: bits of window size /
2129	int frlast; / constant: last frame /
2130
2131	IPSEC_SPLASSERT_SOFTNET(__func__);
2132
2133	IPSEC_ASSERT(sav != NULL, ("%s: Null SA", __func__));
2134	IPSEC_ASSERT(sav->replay != NULL, ("%s: Null replay state", __func__));
2135
2136	replay = sav->replay;
2137
2138	if (replay->wsize == `0`)
2139	return `1`; / no need to check replay. /
2140
2141	/ constant /
2142	frlast = replay->wsize - `1`;
2143	wsizeb = replay->wsize << `3`;
2144
2145	/ sequence number of 0 is invalid /
2146	if (seq == `0`)
2147	return `0`;
2148
2149	/ first time is always okay /
2150	if (replay->count == `0`)
2151	return `1`;
2152
2153	if (seq > replay->lastseq) {
2154	/ larger sequences are okay /
2155	return `1`;
2156	} else {
2157	/ seq is equal or less than lastseq. /
2158	diff = replay->lastseq - seq;
2159
2160	/ over range to check, i.e. too old or wrapped /
2161	if (diff >= wsizeb)
2162	return `0`;
2163
2164	fr = frlast - diff / `8`;
2165
2166	/ this packet already seen ? /
2167	if ((replay->bitmap)[fr] & (`1` << (diff % `8`)))
2168	return `0`;
2169
2170	/ out of order but good /
2171	return `1`;
2172	}
2173	}
2174
2175	/*
2176	* check replay counter whether to update or not.
2177	* OUT: 0: OK
2178	* 1: NG
2179	*/
2180	int
2181	ipsec_updatereplay(u_int32_t seq, const struct secasvar *sav)
2182	{
2183	struct secreplay *replay;
2184	u_int32_t diff;
2185	int fr;
2186	u_int32_t wsizeb; / constant: bits of window size /
2187	int frlast; / constant: last frame /
2188
2189	IPSEC_SPLASSERT_SOFTNET(__func__);
2190
2191	IPSEC_ASSERT(sav != NULL, ("%s: Null SA", __func__));
2192	IPSEC_ASSERT(sav->replay != NULL, ("%s: Null replay state", __func__));
2193
2194	replay = sav->replay;
2195
2196	if (replay->wsize == `0`)
2197	goto ok; / no need to check replay. /
2198
2199	/ constant /
2200	frlast = replay->wsize - `1`;
2201	wsizeb = replay->wsize << `3`;
2202
2203	/ sequence number of 0 is invalid /
2204	if (seq == `0`)
2205	return `1`;
2206
2207	/ first time /
2208	if (replay->count == `0`) {
2209	replay->lastseq = seq;
2210	memset(replay->bitmap, `0`, replay->wsize);
2211	(replay->bitmap)[frlast] = `1`;
2212	goto ok;
2213	}
2214
2215	if (seq > replay->lastseq) {
2216	/ seq is larger than lastseq. /
2217	diff = seq - replay->lastseq;
2218
2219	/ new larger sequence number /
2220	if (diff < wsizeb) {
2221	/ In window /
2222	/ set bit for this packet /
2223	vshiftl(replay->bitmap, diff, replay->wsize);
2224	(replay->bitmap)[frlast] \|= `1`;
2225	} else {
2226	/ this packet has a "way larger" /
2227	memset(replay->bitmap, `0`, replay->wsize);
2228	(replay->bitmap)[frlast] = `1`;
2229	}
2230	replay->lastseq = seq;
2231
2232	/ larger is good /
2233	} else {
2234	/ seq is equal or less than lastseq. /
2235	diff = replay->lastseq - seq;
2236
2237	/ over range to check, i.e. too old or wrapped /
2238	if (diff >= wsizeb)
2239	return `1`;
2240
2241	fr = frlast - diff / `8`;
2242
2243	/ this packet already seen ? /
2244	if ((replay->bitmap)[fr] & (`1` << (diff % `8`)))
2245	return `1`;
2246
2247	/ mark as seen /
2248	(replay->bitmap)[fr] \|= (`1` << (diff % `8`));
2249
2250	/ out of order but good /
2251	}
2252
2253	ok:
2254	if (replay->count == ~`0`) {
2255
2256	/ set overflow flag /
2257	replay->overflow++;
2258
2259	/ don't increment, no more packets accepted /
2260	if ((sav->flags & SADB_X_EXT_CYCSEQ) == `0`)
2261	return `1`;
2262
2263	ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
2264	replay->overflow, ipsec_logsastr(sav)));
2265	}
2266
2267	replay->count++;
2268
2269	return `0`;
2270	}
2271
2272	/*
2273	* shift variable length bunffer to left.
2274	* IN: bitmap: pointer to the buffer
2275	* nbit: the number of to shift.
2276	* wsize: buffer size (bytes).
2277	*/
2278	static void
2279	vshiftl(unsigned char bitmap, int* nbit, int wsize)
2280	{
2281	int s, j, i;
2282	unsigned char over;
2283
2284	for (j = `0`; j < nbit; j += `8`) {
2285	s = (nbit - j < `8`) ? (nbit - j): `8`;
2286	bitmap[`0`] <<= s;
2287	for (i = `1`; i < wsize; i++) {
2288	over = (bitmap[i] >> (`8` - s));
2289	bitmap[i] <<= s;
2290	bitmap[i-`1`] \|= over;
2291	}
2292	}
2293
2294	return;
2295	}
2296
2297	/ Return a printable string for the IPv4 address. /
2298	static char *
2299	inet_ntoa4(struct in_addr ina)
2300	{
2301	static char buf[`4`][`4` * sizeof "123" + `4`];
2302	unsigned char ucp = (unsigned* char *) &ina;
2303	static int i = `3`;
2304
2305	i = (i + `1`) % `4`;
2306	snprintf(buf[i], sizeof(buf[i]), "%d.%d.%d.%d",
2307	ucp[`0`] & `0xff`, ucp[`1`] & `0xff`, ucp[`2`] & `0xff`, ucp[`3`] & `0xff`);
2308	return (buf[i]);
2309	}
2310
2311	/ Return a printable string for the address. /
2312	const char *
2313	ipsec_address(const union sockaddr_union *sa)
2314	{
2315	switch (sa->sa.sa_family) {
2316	#if INET
2317	case AF_INET:
2318	return inet_ntoa4(sa->sin.sin_addr);
2319	#endif /* INET */
2320
2321	#if INET6
2322	case AF_INET6:
2323	return ip6_sprintf(&sa->sin6.sin6_addr);
2324	#endif /* INET6 */
2325
2326	default:
2327	return "(unknown address family)";
2328	}
2329	}
2330
2331	const char *
2332	ipsec_logsastr(const struct secasvar *sav)
2333	{
2334	static char buf[`256`];
2335	char *p;
2336	const struct secasindex *saidx = &sav->sah->saidx;
2337
2338	IPSEC_ASSERT(saidx->src.sa.sa_family == saidx->dst.sa.sa_family,
2339	("%s: address family mismatch", __func__));
2340
2341	p = buf;
2342	snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
2343	while (p && *p)
2344	p++;
2345	/ NB: only use ipsec_address on one address at a time /
2346	snprintf(p, sizeof (buf) - (p - buf), "src=%s ",
2347	ipsec_address(&saidx->src));
2348	while (p && *p)
2349	p++;
2350	snprintf(p, sizeof (buf) - (p - buf), "dst=%s)",
2351	ipsec_address(&saidx->dst));
2352
2353	return buf;
2354	}
2355
2356	void
2357	ipsec_dumpmbuf(struct mbuf *m)
2358	{
2359	int totlen;
2360	int i;
2361	u_char *p;
2362
2363	totlen = `0`;
2364	printf("---\n");
2365	while (m) {
2366	p = mtod(m, u_char *);
2367	for (i = `0`; i < m->m_len; i++) {
2368	printf("%02x ", p[i]);
2369	totlen++;
2370	if (totlen % `16` == `0`)
2371	printf("\n");
2372	}
2373	m = m->m_next;
2374	}
2375	if (totlen % `16` != `0`)
2376	printf("\n");
2377	printf("---\n");
2378	}
2379
2380	#ifdef INET6
2381	struct secpolicy *
2382	ipsec6_check_policy(struct mbuf m, const* struct socket *so,
2383	int flags, int needipsecp, int* *errorp)
2384	{
2385	struct in6pcb *in6p = NULL;
2386	struct secpolicy *sp = NULL;
2387	int s;
2388	int error = `0`;
2389	int needipsec = `0`;
2390
2391	if (so != NULL && so->so_proto->pr_domain->dom_family == AF_INET6)
2392	in6p = sotoin6pcb(so);
2393
2394	if (!ipsec_outdone(m)) {
2395	s = splsoftnet();
2396	if (in6p != NULL &&
2397	IPSEC_PCB_SKIP_IPSEC(in6p->in6p_sp, IPSEC_DIR_OUTBOUND)) {
2398	splx(s);
2399	goto skippolicycheck;
2400	}
2401	sp = ipsec6_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error,in6p);
2402
2403	/*
2404	* There are four return cases:
2405	* sp != NULL apply IPsec policy
2406	* sp == NULL, error == 0 no IPsec handling needed
2407	* sp == NULL, error == -EINVAL discard packet w/o error
2408	* sp == NULL, error != 0 discard packet, report error
2409	*/
2410
2411	splx(s);
2412	if (sp == NULL) {
2413	/*
2414	* Caller must check the error return to see if it needs to discard
2415	* the packet.
2416	*/
2417	needipsec = `0`;
2418	} else {
2419	needipsec = `1`;
2420	}
2421	}
2422	skippolicycheck:;
2423
2424	*errorp = error;
2425	*needipsecp = needipsec;
2426	return sp;
2427	}
2428
2429	int
2430	ipsec6_input(struct mbuf *m)
2431	{
2432	struct m_tag *mtag;
2433	struct tdb_ident *tdbi;
2434	struct secpolicy *sp;
2435	int s, error;
2436
2437	/*
2438	* Check if the packet has already had IPsec
2439	* processing done. If so, then just pass it
2440	* along. This tag gets set during AH, ESP,
2441	* etc. input handling, before the packet is
2442	* returned to the ip input queue for delivery.
2443	*/
2444	mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE,
2445	NULL);
2446	s = splsoftnet();
2447	if (mtag != NULL) {
2448	tdbi = (struct tdb_ident *)(mtag + `1`);
2449	sp = ipsec_getpolicy(tdbi,
2450	IPSEC_DIR_INBOUND);
2451	} else {
2452	sp = ipsec_getpolicybyaddr(m,
2453	IPSEC_DIR_INBOUND, IP_FORWARDING,
2454	&error);
2455	}
2456	if (sp != NULL) {
2457	/*
2458	* Check security policy against packet
2459	* attributes.
2460	*/
2461	error = ipsec_in_reject(sp, m);
2462	KEY_FREESP(&sp);
2463	} else {
2464	/ XXX error stat??? /
2465	error = EINVAL;
2466	DPRINTF(("ip6_input: no SP, packet"
2467	" discarded\n"));/XXX/
2468	}
2469	splx(s);
2470
2471	return error;
2472	}
2473	#endif /* INET6 */
2474
2475
2476
2477	/ XXX this stuff doesn't belong here... /
2478
2479	static struct xformsw *xforms = NULL;
2480
2481	/*
2482	* Register a transform; typically at system startup.
2483	*/
2484	void
2485	xform_register(struct xformsw *xsp)
2486	{
2487	xsp->xf_next = xforms;
2488	xforms = xsp;
2489	}
2490
2491	/*
2492	* Initialize transform support in an sav.
2493	*/
2494	int
2495	xform_init(struct secasvar sav, int* xftype)
2496	{
2497	struct xformsw *xsp;
2498
2499	if (sav->tdb_xform != NULL) / previously initialized /
2500	return `0`;
2501	for (xsp = xforms; xsp; xsp = xsp->xf_next)
2502	if (xsp->xf_type == xftype)
2503	return (*xsp->xf_init)(sav, xsp);
2504
2505	DPRINTF(("%s: no match for xform type %d\n", __func__, xftype));
2506	return EINVAL;
2507	}
2508
2509	void
2510	nat_t_ports_get(struct mbuf m, u_int16_t dport, u_int16_t *sport) {
2511	struct m_tag *tag;
2512
2513	if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) {
2514	sport = ((u_int16_t )(tag + `1`))[`0`];
2515	dport = ((u_int16_t )(tag + `1`))[`1`];
2516	} else
2517	sport = dport = `0`;
2518	}
2519
2520	#ifdef __NetBSD__
2521	/*
2522	* XXXJRT This should be done as a protosw init call.
2523	*/
2524	void
2525	ipsec_attach(void)
2526	{
2527
2528	ipsecstat_percpu = percpu_alloc(sizeof(uint64_t) * IPSEC_NSTATS);
2529
2530	ah_attach();
2531	esp_attach();
2532	ipcomp_attach();
2533	ipe4_attach();
2534	#ifdef TCP_SIGNATURE
2535	tcpsignature_attach();
2536	#endif
2537	}
2538	#endif /* __NetBSD__ */
2539

Browse the source code of src/src/sys/netipsec/ipsec.c