Home | History | Annotate | Line # | Download | only in netipsec
ipsec.c revision 1.159
      1 /* $NetBSD: ipsec.c,v 1.159 2018/04/28 14:21:03 maxv Exp $ */
      2 /* $FreeBSD: ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
      3 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
      4 
      5 /*
      6  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
      7  * All rights reserved.
      8  *
      9  * Redistribution and use in source and binary forms, with or without
     10  * modification, are permitted provided that the following conditions
     11  * are met:
     12  * 1. Redistributions of source code must retain the above copyright
     13  *	notice, this list of conditions and the following disclaimer.
     14  * 2. Redistributions in binary form must reproduce the above copyright
     15  *	notice, this list of conditions and the following disclaimer in the
     16  *	documentation and/or other materials provided with the distribution.
     17  * 3. Neither the name of the project nor the names of its contributors
     18  *	may be used to endorse or promote products derived from this software
     19  *	without specific prior written permission.
     20  *
     21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
     22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
     25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     31  * SUCH DAMAGE.
     32  */
     33 
     34 #include <sys/cdefs.h>
     35 __KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.159 2018/04/28 14:21:03 maxv Exp $");
     36 
     37 /*
     38  * IPsec controller part.
     39  */
     40 
     41 #if defined(_KERNEL_OPT)
     42 #include "opt_inet.h"
     43 #include "opt_ipsec.h"
     44 #endif
     45 
     46 #include <sys/param.h>
     47 #include <sys/systm.h>
     48 #include <sys/mbuf.h>
     49 #include <sys/domain.h>
     50 #include <sys/protosw.h>
     51 #include <sys/socket.h>
     52 #include <sys/socketvar.h>
     53 #include <sys/errno.h>
     54 #include <sys/time.h>
     55 #include <sys/kernel.h>
     56 #include <sys/syslog.h>
     57 #include <sys/sysctl.h>
     58 #include <sys/proc.h>
     59 #include <sys/kauth.h>
     60 #include <sys/cpu.h>
     61 #include <sys/kmem.h>
     62 #include <sys/pserialize.h>
     63 
     64 #include <net/if.h>
     65 #include <net/route.h>
     66 
     67 #include <netinet/in.h>
     68 #include <netinet/in_systm.h>
     69 #include <netinet/ip.h>
     70 #include <netinet/ip_var.h>
     71 #include <netinet/in_var.h>
     72 #include <netinet/udp.h>
     73 #include <netinet/udp_var.h>
     74 #include <netinet/tcp.h>
     75 #include <netinet/udp.h>
     76 #include <netinet/ip_icmp.h>
     77 #include <netinet/ip_private.h>
     78 
     79 #include <netinet/ip6.h>
     80 #ifdef INET6
     81 #include <netinet6/ip6_var.h>
     82 #endif
     83 #include <netinet/in_pcb.h>
     84 #ifdef INET6
     85 #include <netinet6/in6_pcb.h>
     86 #include <netinet/icmp6.h>
     87 #endif
     88 
     89 #include <netipsec/ipsec.h>
     90 #include <netipsec/ipsec_var.h>
     91 #include <netipsec/ipsec_private.h>
     92 #ifdef INET6
     93 #include <netipsec/ipsec6.h>
     94 #endif
     95 #include <netipsec/ah_var.h>
     96 #include <netipsec/esp_var.h>
     97 #include <netipsec/ipcomp.h>		/*XXX*/
     98 #include <netipsec/ipcomp_var.h>
     99 
    100 #include <netipsec/key.h>
    101 #include <netipsec/keydb.h>
    102 #include <netipsec/key_debug.h>
    103 
    104 #include <netipsec/xform.h>
    105 
    106 int ipsec_used = 0;
    107 int ipsec_enabled = 1;
    108 
    109 #ifdef IPSEC_DEBUG
    110 int ipsec_debug = 1;
    111 
    112 /*
    113  * When set to 1, IPsec will send packets with the same sequence number.
    114  * This allows to verify if the other side has proper replay attacks detection.
    115  */
    116 int ipsec_replay = 0;
    117 
    118 /*
    119  * When set 1, IPsec will send packets with corrupted HMAC.
    120  * This allows to verify if the other side properly detects modified packets.
    121  */
    122 int ipsec_integrity = 0;
    123 #else
    124 int ipsec_debug = 0;
    125 #endif
    126 
    127 percpu_t *ipsecstat_percpu;
    128 
    129 int ip4_ah_offsetmask = 0;	/* maybe IP_DF? */
    130 int ip4_ipsec_dfbit = 2;	/* DF bit on encap. 0: clear 1: set 2: copy */
    131 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
    132 int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
    133 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
    134 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
    135 struct secpolicy ip4_def_policy;
    136 int ip4_ipsec_ecn = 0;		/* ECN ignore(-1)/forbidden(0)/allowed(1) */
    137 
    138 u_int ipsec_spdgen = 1;		/* SPD generation # */
    139 
    140 static struct secpolicy ipsec_dummy_sp __read_mostly = {
    141 	.state		= IPSEC_SPSTATE_ALIVE,
    142 	/* If ENTRUST, the dummy SP never be used. See ipsec_getpolicybysock. */
    143 	.policy		= IPSEC_POLICY_ENTRUST,
    144 };
    145 
    146 static struct secpolicy *ipsec_checkpcbcache(struct mbuf *,
    147     struct inpcbpolicy *, int);
    148 static int ipsec_fillpcbcache(struct inpcbpolicy *, struct mbuf *,
    149     struct secpolicy *, int);
    150 static int ipsec_invalpcbcache(struct inpcbpolicy *, int);
    151 
    152 /*
    153  * Crypto support requirements:
    154  *
    155  *  1	require hardware support
    156  * -1	require software support
    157  *  0	take anything
    158  */
    159 int crypto_support = 0;
    160 
    161 static struct secpolicy *ipsec_getpolicybysock(struct mbuf *, u_int,
    162     struct inpcb_hdr *, int *);
    163 
    164 #ifdef INET6
    165 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
    166 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
    167 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
    168 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
    169 struct secpolicy ip6_def_policy;
    170 int ip6_ipsec_ecn = 0;		/* ECN ignore(-1)/forbidden(0)/allowed(1) */
    171 #endif
    172 
    173 static int ipsec_setspidx_inpcb(struct mbuf *, void *);
    174 static int ipsec_setspidx(struct mbuf *, struct secpolicyindex *, int);
    175 static void ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *, int);
    176 static int ipsec4_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *);
    177 #ifdef INET6
    178 static void ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *, int);
    179 static int ipsec6_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *);
    180 #endif
    181 static void ipsec_delpcbpolicy(struct inpcbpolicy *);
    182 static void ipsec_destroy_policy(struct secpolicy *);
    183 static int ipsec_sp_reject(const struct secpolicy *, const struct mbuf *);
    184 static void vshiftl(unsigned char *, int, int);
    185 static size_t ipsec_sp_hdrsiz(const struct secpolicy *, const struct mbuf *);
    186 
    187 /*
    188  * Try to validate and use cached policy on a PCB.
    189  */
    190 static struct secpolicy *
    191 ipsec_checkpcbcache(struct mbuf *m, struct inpcbpolicy *pcbsp, int dir)
    192 {
    193 	struct secpolicyindex spidx;
    194 	struct secpolicy *sp = NULL;
    195 	int s;
    196 
    197 	KASSERT(IPSEC_DIR_IS_VALID(dir));
    198 	KASSERT(pcbsp != NULL);
    199 	KASSERT(dir < __arraycount(pcbsp->sp_cache));
    200 	KASSERT(inph_locked(pcbsp->sp_inph));
    201 
    202 	/*
    203 	 * Checking the generation and sp->state and taking a reference to an SP
    204 	 * must be in a critical section of pserialize. See key_unlink_sp.
    205 	 */
    206 	s = pserialize_read_enter();
    207 	/* SPD table change invalidate all the caches. */
    208 	if (ipsec_spdgen != pcbsp->sp_cache[dir].cachegen) {
    209 		ipsec_invalpcbcache(pcbsp, dir);
    210 		goto out;
    211 	}
    212 	sp = pcbsp->sp_cache[dir].cachesp;
    213 	if (sp == NULL)
    214 		goto out;
    215 	if (sp->state != IPSEC_SPSTATE_ALIVE) {
    216 		sp = NULL;
    217 		ipsec_invalpcbcache(pcbsp, dir);
    218 		goto out;
    219 	}
    220 	if ((pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) == 0) {
    221 		/* NB: assume ipsec_setspidx never sleep */
    222 		if (ipsec_setspidx(m, &spidx, 1) != 0) {
    223 			sp = NULL;
    224 			goto out;
    225 		}
    226 
    227 		/*
    228 		 * We have to make an exact match here since the cached rule
    229 		 * might have lower priority than a rule that would otherwise
    230 		 * have matched the packet.
    231 		 */
    232 		if (memcmp(&pcbsp->sp_cache[dir].cacheidx, &spidx,
    233 		    sizeof(spidx))) {
    234 			sp = NULL;
    235 			goto out;
    236 		}
    237 	} else {
    238 		/*
    239 		 * The pcb is connected, and the L4 code is sure that:
    240 		 * - outgoing side uses inp_[lf]addr
    241 		 * - incoming side looks up policy after inpcb lookup
    242 		 * and address pair is know to be stable.  We do not need
    243 		 * to generate spidx again, nor check the address match again.
    244 		 *
    245 		 * For IPv4/v6 SOCK_STREAM sockets, this assumptions holds
    246 		 * and there are calls to ipsec_pcbconn() from in_pcbconnect().
    247 		 */
    248 	}
    249 
    250 	sp->lastused = time_second;
    251 	KEY_SP_REF(sp);
    252 	KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
    253 	    "DP cause refcnt++:%d SP:%p\n",
    254 	    key_sp_refcnt(sp), pcbsp->sp_cache[dir].cachesp);
    255 out:
    256 	pserialize_read_exit(s);
    257 	return sp;
    258 }
    259 
    260 static int
    261 ipsec_fillpcbcache(struct inpcbpolicy *pcbsp, struct mbuf *m,
    262     struct secpolicy *sp, int dir)
    263 {
    264 
    265 	KASSERT(IPSEC_DIR_IS_INOROUT(dir));
    266 	KASSERT(dir < __arraycount(pcbsp->sp_cache));
    267 	KASSERT(inph_locked(pcbsp->sp_inph));
    268 
    269 	pcbsp->sp_cache[dir].cachesp = NULL;
    270 	pcbsp->sp_cache[dir].cachehint = IPSEC_PCBHINT_UNKNOWN;
    271 	if (ipsec_setspidx(m, &pcbsp->sp_cache[dir].cacheidx, 1) != 0) {
    272 		return EINVAL;
    273 	}
    274 	pcbsp->sp_cache[dir].cachesp = sp;
    275 	if (pcbsp->sp_cache[dir].cachesp) {
    276 		/*
    277 		 * If the PCB is connected, we can remember a hint to
    278 		 * possibly short-circuit IPsec processing in other places.
    279 		 */
    280 		if (pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) {
    281 			switch (pcbsp->sp_cache[dir].cachesp->policy) {
    282 			case IPSEC_POLICY_NONE:
    283 			case IPSEC_POLICY_BYPASS:
    284 				pcbsp->sp_cache[dir].cachehint =
    285 				    IPSEC_PCBHINT_NO;
    286 				break;
    287 			default:
    288 				pcbsp->sp_cache[dir].cachehint =
    289 				    IPSEC_PCBHINT_YES;
    290 			}
    291 		}
    292 	}
    293 	pcbsp->sp_cache[dir].cachegen = ipsec_spdgen;
    294 
    295 	return 0;
    296 }
    297 
    298 static int
    299 ipsec_invalpcbcache(struct inpcbpolicy *pcbsp, int dir)
    300 {
    301 	int i;
    302 
    303 	KASSERT(inph_locked(pcbsp->sp_inph));
    304 
    305 	for (i = IPSEC_DIR_INBOUND; i <= IPSEC_DIR_OUTBOUND; i++) {
    306 		if (dir != IPSEC_DIR_ANY && i != dir)
    307 			continue;
    308 		pcbsp->sp_cache[i].cachesp = NULL;
    309 		pcbsp->sp_cache[i].cachehint = IPSEC_PCBHINT_UNKNOWN;
    310 		pcbsp->sp_cache[i].cachegen = 0;
    311 		memset(&pcbsp->sp_cache[i].cacheidx, 0,
    312 		    sizeof(pcbsp->sp_cache[i].cacheidx));
    313 	}
    314 	return 0;
    315 }
    316 
    317 void
    318 ipsec_pcbconn(struct inpcbpolicy *pcbsp)
    319 {
    320 
    321 	KASSERT(inph_locked(pcbsp->sp_inph));
    322 
    323 	pcbsp->sp_cacheflags |= IPSEC_PCBSP_CONNECTED;
    324 	ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
    325 }
    326 
    327 void
    328 ipsec_pcbdisconn(struct inpcbpolicy *pcbsp)
    329 {
    330 
    331 	KASSERT(inph_locked(pcbsp->sp_inph));
    332 
    333 	pcbsp->sp_cacheflags &= ~IPSEC_PCBSP_CONNECTED;
    334 	ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
    335 }
    336 
    337 void
    338 ipsec_invalpcbcacheall(void)
    339 {
    340 
    341 	if (ipsec_spdgen == UINT_MAX)
    342 		ipsec_spdgen = 1;
    343 	else
    344 		ipsec_spdgen++;
    345 }
    346 
    347 /*
    348  * Return a held reference to the default SP.
    349  */
    350 static struct secpolicy *
    351 key_get_default_sp(int af, const char *where, int tag)
    352 {
    353 	struct secpolicy *sp;
    354 
    355 	KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP from %s:%u\n", where, tag);
    356 
    357 	switch(af) {
    358 	case AF_INET:
    359 		sp = &ip4_def_policy;
    360 		break;
    361 #ifdef INET6
    362 	case AF_INET6:
    363 		sp = &ip6_def_policy;
    364 		break;
    365 #endif
    366 	default:
    367 		KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
    368 		    "unexpected protocol family %u\n", af);
    369 		return NULL;
    370 	}
    371 
    372 	if (sp->policy != IPSEC_POLICY_DISCARD &&
    373 	    sp->policy != IPSEC_POLICY_NONE) {
    374 		IPSECLOG(LOG_INFO, "fixed system default policy: %d->%d\n",
    375 		    sp->policy, IPSEC_POLICY_NONE);
    376 		sp->policy = IPSEC_POLICY_NONE;
    377 	}
    378 	KEY_SP_REF(sp);
    379 
    380 	KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP returns SP:%p (%u)\n",
    381 	    sp, key_sp_refcnt(sp));
    382 	return sp;
    383 }
    384 
    385 #define	KEY_GET_DEFAULT_SP(af) \
    386 	key_get_default_sp((af), __func__, __LINE__)
    387 
    388 /*
    389  * For OUTBOUND packet having a socket. Searching SPD for packet,
    390  * and return a pointer to SP.
    391  * OUT:	NULL:	no appropriate SP found, the following value is set to error.
    392  *		0	: bypass
    393  *		EACCES	: discard packet.
    394  *		ENOENT	: ipsec_acquire() in progress, maybe.
    395  *		others	: error occurred.
    396  *	others:	a pointer to SP
    397  *
    398  * NOTE: IPv6 mapped address concern is implemented here.
    399  */
    400 static struct secpolicy *
    401 ipsec_getpolicybysock(struct mbuf *m, u_int dir, struct inpcb_hdr *inph,
    402     int *error)
    403 {
    404 	struct inpcbpolicy *pcbsp = NULL;
    405 	struct secpolicy *currsp = NULL;	/* policy on socket */
    406 	struct secpolicy *sp;
    407 	int af;
    408 
    409 	KASSERT(m != NULL);
    410 	KASSERT(inph != NULL);
    411 	KASSERT(error != NULL);
    412 	KASSERTMSG(IPSEC_DIR_IS_INOROUT(dir), "invalid direction %u", dir);
    413 
    414 	KASSERT(inph->inph_socket != NULL);
    415 	KASSERT(inph_locked(inph));
    416 
    417 	/* XXX FIXME inpcb/in6pcb vs socket*/
    418 	af = inph->inph_af;
    419 	KASSERTMSG(af == AF_INET || af == AF_INET6,
    420 	    "unexpected protocol family %u", af);
    421 
    422 	KASSERT(inph->inph_sp != NULL);
    423 	/* If we have a cached entry, and if it is still valid, use it. */
    424 	IPSEC_STATINC(IPSEC_STAT_SPDCACHELOOKUP);
    425 	currsp = ipsec_checkpcbcache(m, inph->inph_sp, dir);
    426 	if (currsp) {
    427 		*error = 0;
    428 		return currsp;
    429 	}
    430 	IPSEC_STATINC(IPSEC_STAT_SPDCACHEMISS);
    431 
    432 	switch (af) {
    433 	case AF_INET:
    434 #if defined(INET6)
    435 	case AF_INET6:
    436 #endif
    437 		*error = ipsec_setspidx_inpcb(m, inph);
    438 		pcbsp = inph->inph_sp;
    439 		break;
    440 	default:
    441 		*error = EPFNOSUPPORT;
    442 		break;
    443 	}
    444 	if (*error)
    445 		return NULL;
    446 
    447 	KASSERT(pcbsp != NULL);
    448 	switch (dir) {
    449 	case IPSEC_DIR_INBOUND:
    450 		currsp = pcbsp->sp_in;
    451 		break;
    452 	case IPSEC_DIR_OUTBOUND:
    453 		currsp = pcbsp->sp_out;
    454 		break;
    455 	}
    456 	KASSERT(currsp != NULL);
    457 
    458 	if (pcbsp->priv) {	/* when privileged socket */
    459 		switch (currsp->policy) {
    460 		case IPSEC_POLICY_BYPASS:
    461 		case IPSEC_POLICY_IPSEC:
    462 			KEY_SP_REF(currsp);
    463 			sp = currsp;
    464 			break;
    465 
    466 		case IPSEC_POLICY_ENTRUST:
    467 			/* look for a policy in SPD */
    468 			sp = KEY_LOOKUP_SP_BYSPIDX(&currsp->spidx, dir);
    469 			if (sp == NULL)		/* no SP found */
    470 				sp = KEY_GET_DEFAULT_SP(af);
    471 			break;
    472 
    473 		default:
    474 			IPSECLOG(LOG_ERR, "Invalid policy for PCB %d\n",
    475 			    currsp->policy);
    476 			*error = EINVAL;
    477 			return NULL;
    478 		}
    479 	} else {				/* unpriv, SPD has policy */
    480 		sp = KEY_LOOKUP_SP_BYSPIDX(&currsp->spidx, dir);
    481 		if (sp == NULL) {		/* no SP found */
    482 			switch (currsp->policy) {
    483 			case IPSEC_POLICY_BYPASS:
    484 				IPSECLOG(LOG_ERR, "Illegal policy for "
    485 				    "non-priviliged defined %d\n",
    486 				    currsp->policy);
    487 				*error = EINVAL;
    488 				return NULL;
    489 
    490 			case IPSEC_POLICY_ENTRUST:
    491 				sp = KEY_GET_DEFAULT_SP(af);
    492 				break;
    493 
    494 			case IPSEC_POLICY_IPSEC:
    495 				KEY_SP_REF(currsp);
    496 				sp = currsp;
    497 				break;
    498 
    499 			default:
    500 				IPSECLOG(LOG_ERR, "Invalid policy for "
    501 				    "PCB %d\n", currsp->policy);
    502 				*error = EINVAL;
    503 				return NULL;
    504 			}
    505 		}
    506 	}
    507 	KASSERTMSG(sp != NULL, "null SP (priv %u policy %u", pcbsp->priv,
    508 	    currsp->policy);
    509 	KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
    510 	    "DP (priv %u policy %u) allocates SP:%p (refcnt %u)\n",
    511 	    pcbsp->priv, currsp->policy, sp, key_sp_refcnt(sp));
    512 	ipsec_fillpcbcache(pcbsp, m, sp, dir);
    513 	return sp;
    514 }
    515 
    516 /*
    517  * For FORWARDING packet or OUTBOUND without a socket. Searching SPD for packet,
    518  * and return a pointer to SP.
    519  * OUT:	positive: a pointer to the entry for security policy leaf matched.
    520  *	NULL:	no appropriate SP found, the following value is set to error.
    521  *		0	: bypass
    522  *		EACCES	: discard packet.
    523  *		ENOENT	: ipsec_acquire() in progress, maybe.
    524  *		others	: error occurred.
    525  */
    526 static struct secpolicy *
    527 ipsec_getpolicybyaddr(struct mbuf *m, u_int dir, int flag, int *error)
    528 {
    529 	struct secpolicyindex spidx;
    530 	struct secpolicy *sp;
    531 
    532 	KASSERT(m != NULL);
    533 	KASSERT(error != NULL);
    534 	KASSERTMSG(IPSEC_DIR_IS_INOROUT(dir), "invalid direction %u", dir);
    535 
    536 	sp = NULL;
    537 
    538 	/* Make an index to look for a policy. */
    539 	*error = ipsec_setspidx(m, &spidx, (flag & IP_FORWARDING) ? 0 : 1);
    540 	if (*error != 0) {
    541 		IPSECLOG(LOG_DEBUG, "setpidx failed, dir %u flag %u\n", dir, flag);
    542 		memset(&spidx, 0, sizeof(spidx));
    543 		return NULL;
    544 	}
    545 
    546 	spidx.dir = dir;
    547 
    548 	if (key_havesp(dir)) {
    549 		sp = KEY_LOOKUP_SP_BYSPIDX(&spidx, dir);
    550 	}
    551 	if (sp == NULL) {
    552 		/* no SP found, use system default */
    553 		sp = KEY_GET_DEFAULT_SP(spidx.dst.sa.sa_family);
    554 	}
    555 
    556 	KASSERT(sp != NULL);
    557 	return sp;
    558 }
    559 
    560 static struct secpolicy *
    561 ipsec_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error,
    562     void *inp)
    563 {
    564 	struct secpolicy *sp;
    565 
    566 	*error = 0;
    567 
    568 	if (inp == NULL) {
    569 		sp = ipsec_getpolicybyaddr(m, dir, flag, error);
    570 	} else {
    571 		struct inpcb_hdr *inph = (struct inpcb_hdr *)inp;
    572 		KASSERT(inph->inph_socket != NULL);
    573 		sp = ipsec_getpolicybysock(m, dir, inph, error);
    574 	}
    575 	if (sp == NULL) {
    576 		KASSERTMSG(*error != 0, "getpolicy failed w/o error");
    577 		IPSEC_STATINC(IPSEC_STAT_OUT_INVAL);
    578 		return NULL;
    579 	}
    580 	KASSERTMSG(*error == 0, "sp w/ error set to %u", *error);
    581 
    582 	switch (sp->policy) {
    583 	case IPSEC_POLICY_ENTRUST:
    584 	default:
    585 		printf("%s: invalid policy %u\n", __func__, sp->policy);
    586 		/* fall thru... */
    587 	case IPSEC_POLICY_DISCARD:
    588 		IPSEC_STATINC(IPSEC_STAT_OUT_POLVIO);
    589 		*error = -EINVAL;	/* packet is discarded by caller */
    590 		break;
    591 	case IPSEC_POLICY_BYPASS:
    592 	case IPSEC_POLICY_NONE:
    593 		KEY_SP_UNREF(&sp);
    594 		sp = NULL;		/* NB: force NULL result */
    595 		break;
    596 	case IPSEC_POLICY_IPSEC:
    597 		KASSERT(sp->req != NULL);
    598 		break;
    599 	}
    600 
    601 	if (*error != 0) {
    602 		KEY_SP_UNREF(&sp);
    603 		sp = NULL;
    604 		IPSECLOG(LOG_DEBUG, "done, error %d\n", *error);
    605 	}
    606 
    607 	return sp;
    608 }
    609 
    610 int
    611 ipsec4_output(struct mbuf *m, struct inpcb *inp, int flags,
    612     u_long *mtu, bool *natt_frag, bool *done)
    613 {
    614 	struct secpolicy *sp = NULL;
    615 	u_long _mtu = 0;
    616 	int error, s;
    617 
    618 	/*
    619 	 * Check the security policy (SP) for the packet and, if required,
    620 	 * do IPsec-related processing.  There are two cases here; the first
    621 	 * time a packet is sent through it will be untagged and handled by
    622 	 * ipsec_checkpolicy().  If the packet is resubmitted to ip_output
    623 	 * (e.g. after AH, ESP, etc. processing), there will be a tag to
    624 	 * bypass the lookup and related policy checking.
    625 	 */
    626 	if (ipsec_outdone(m)) {
    627 		return 0;
    628 	}
    629 	s = splsoftnet();
    630 	if (inp && ipsec_pcb_skip_ipsec(inp->inp_sp, IPSEC_DIR_OUTBOUND)) {
    631 		splx(s);
    632 		return 0;
    633 	}
    634 	sp = ipsec_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, inp);
    635 
    636 	/*
    637 	 * There are four return cases:
    638 	 *	sp != NULL                    apply IPsec policy
    639 	 *	sp == NULL, error == 0        no IPsec handling needed
    640 	 *	sp == NULL, error == -EINVAL  discard packet w/o error
    641 	 *	sp == NULL, error != 0        discard packet, report error
    642 	 */
    643 	if (sp == NULL) {
    644 		splx(s);
    645 		if (error) {
    646 			/*
    647 			 * Hack: -EINVAL is used to signal that a packet
    648 			 * should be silently discarded.  This is typically
    649 			 * because we asked key management for an SA and
    650 			 * it was delayed (e.g. kicked up to IKE).
    651 			 */
    652 			if (error == -EINVAL)
    653 				error = 0;
    654 			m_freem(m);
    655 			*done = true;
    656 			return error;
    657 		}
    658 		/* No IPsec processing for this packet. */
    659 		return 0;
    660 	}
    661 
    662 	/*
    663 	 * Do delayed checksums now because we send before
    664 	 * this is done in the normal processing path.
    665 	 */
    666 	if (m->m_pkthdr.csum_flags & (M_CSUM_TCPv4|M_CSUM_UDPv4)) {
    667 		in_delayed_cksum(m);
    668 		m->m_pkthdr.csum_flags &= ~(M_CSUM_TCPv4|M_CSUM_UDPv4);
    669 	}
    670 
    671 	error = ipsec4_process_packet(m, sp->req, &_mtu);
    672 	if (error == 0 && _mtu != 0) {
    673 		/*
    674 		 * NAT-T ESP fragmentation: do not do IPSec processing
    675 		 * now, we will do it on each fragmented packet.
    676 		 */
    677 		*mtu = _mtu;
    678 		*natt_frag = true;
    679 		KEY_SP_UNREF(&sp);
    680 		splx(s);
    681 		return 0;
    682 	}
    683 
    684 	/*
    685 	 * Preserve KAME behaviour: ENOENT can be returned
    686 	 * when an SA acquire is in progress.  Don't propagate
    687 	 * this to user-level; it confuses applications.
    688 	 *
    689 	 * XXX this will go away when the SADB is redone.
    690 	 */
    691 	if (error == ENOENT)
    692 		error = 0;
    693 	KEY_SP_UNREF(&sp);
    694 	splx(s);
    695 	*done = true;
    696 	return error;
    697 }
    698 
    699 int
    700 ipsec4_input(struct mbuf *m, int flags)
    701 {
    702 	struct secpolicy *sp;
    703 	int error, s;
    704 
    705 	s = splsoftnet();
    706 	error = ipsec_in_reject(m, NULL);
    707 	splx(s);
    708 	if (error) {
    709 		return EINVAL;
    710 	}
    711 
    712 	if (flags == 0) {
    713 		/* We are done. */
    714 		return 0;
    715 	}
    716 
    717 	/*
    718 	 * Peek at the outbound SP for this packet to determine if
    719 	 * it is a Fast Forward candidate.
    720 	 */
    721 	s = splsoftnet();
    722 	sp = ipsec_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, NULL);
    723 	if (sp != NULL) {
    724 		m->m_flags &= ~M_CANFASTFWD;
    725 		KEY_SP_UNREF(&sp);
    726 	}
    727 	splx(s);
    728 	return 0;
    729 }
    730 
    731 /*
    732  * If the packet is routed over IPsec tunnel, tell the originator the
    733  * tunnel MTU.
    734  *     tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz
    735  *
    736  * XXX: Quick hack!!!
    737  *
    738  * XXX: And what if the MTU goes negative?
    739  */
    740 int
    741 ipsec4_forward(struct mbuf *m, int *destmtu)
    742 {
    743 	struct secpolicy *sp;
    744 	size_t ipsechdr;
    745 	int error;
    746 
    747 	sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, IP_FORWARDING,
    748 	    &error);
    749 	if (sp == NULL) {
    750 		return EINVAL;
    751 	}
    752 
    753 	/* Count IPsec header size. */
    754 	ipsechdr = ipsec_sp_hdrsiz(sp, m);
    755 
    756 	/*
    757 	 * Find the correct route for outer IPv4 header, compute tunnel MTU.
    758 	 */
    759 	if (sp->req) {
    760 		struct secasvar *sav;
    761 
    762 		sav = ipsec_lookup_sa(sp->req, m);
    763 		if (sav != NULL) {
    764 			struct route *ro;
    765 			struct rtentry *rt;
    766 
    767 			ro = &sav->sah->sa_route;
    768 			rt = rtcache_validate(ro);
    769 			if (rt && rt->rt_ifp) {
    770 				*destmtu = rt->rt_rmx.rmx_mtu ?
    771 				    rt->rt_rmx.rmx_mtu : rt->rt_ifp->if_mtu;
    772 				*destmtu -= ipsechdr;
    773 			}
    774 			rtcache_unref(rt, ro);
    775 			KEY_SA_UNREF(&sav);
    776 		}
    777 	}
    778 	KEY_SP_UNREF(&sp);
    779 	return 0;
    780 }
    781 
    782 static int
    783 ipsec_setspidx_inpcb(struct mbuf *m, void *pcb)
    784 {
    785 	struct inpcb_hdr *inph = (struct inpcb_hdr *)pcb;
    786 	int error;
    787 
    788 	KASSERT(inph != NULL);
    789 	KASSERT(inph->inph_sp != NULL);
    790 	KASSERT(inph->inph_sp->sp_out != NULL);
    791 	KASSERT(inph->inph_sp->sp_in != NULL);
    792 
    793 	error = ipsec_setspidx(m, &inph->inph_sp->sp_in->spidx, 1);
    794 	if (error == 0) {
    795 		inph->inph_sp->sp_in->spidx.dir = IPSEC_DIR_INBOUND;
    796 		inph->inph_sp->sp_out->spidx = inph->inph_sp->sp_in->spidx;
    797 		inph->inph_sp->sp_out->spidx.dir = IPSEC_DIR_OUTBOUND;
    798 	} else {
    799 		memset(&inph->inph_sp->sp_in->spidx, 0,
    800 		    sizeof(inph->inph_sp->sp_in->spidx));
    801 		memset(&inph->inph_sp->sp_out->spidx, 0,
    802 		    sizeof(inph->inph_sp->sp_out->spidx));
    803 	}
    804 	return error;
    805 }
    806 
    807 /*
    808  * configure security policy index (src/dst/proto/sport/dport)
    809  * by looking at the content of mbuf.
    810  * the caller is responsible for error recovery (like clearing up spidx).
    811  */
    812 static int
    813 ipsec_setspidx(struct mbuf *m, struct secpolicyindex *spidx, int needport)
    814 {
    815 	struct ip *ip = NULL;
    816 	struct ip ipbuf;
    817 	u_int v;
    818 	struct mbuf *n;
    819 	int len;
    820 	int error;
    821 
    822 	KASSERT(m != NULL);
    823 
    824 	/*
    825 	 * validate m->m_pkthdr.len.  we see incorrect length if we
    826 	 * mistakenly call this function with inconsistent mbuf chain
    827 	 * (like 4.4BSD tcp/udp processing).
    828 	 *
    829 	 * XXX XXX XXX: We should remove this.
    830 	 */
    831 	len = 0;
    832 	for (n = m; n; n = n->m_next)
    833 		len += n->m_len;
    834 	if (m->m_pkthdr.len != len) {
    835 		KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
    836 		    "total of m_len(%d) != pkthdr.len(%d), ignored.\n",
    837 		    len, m->m_pkthdr.len);
    838 		KASSERTMSG(0, "impossible");
    839 		return EINVAL;
    840 	}
    841 
    842 	if (m->m_pkthdr.len < sizeof(struct ip)) {
    843 		KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
    844 		    "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
    845 		    m->m_pkthdr.len);
    846 		return EINVAL;
    847 	}
    848 
    849 	if (m->m_len >= sizeof(*ip)) {
    850 		ip = mtod(m, struct ip *);
    851 	} else {
    852 		m_copydata(m, 0, sizeof(ipbuf), &ipbuf);
    853 		ip = &ipbuf;
    854 	}
    855 	v = ip->ip_v;
    856 	switch (v) {
    857 	case 4:
    858 		error = ipsec4_setspidx_ipaddr(m, spidx);
    859 		if (error)
    860 			return error;
    861 		ipsec4_get_ulp(m, spidx, needport);
    862 		return 0;
    863 #ifdef INET6
    864 	case 6:
    865 		if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
    866 			KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
    867 			    "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
    868 			    "ignored.\n", m->m_pkthdr.len);
    869 			return EINVAL;
    870 		}
    871 		error = ipsec6_setspidx_ipaddr(m, spidx);
    872 		if (error)
    873 			return error;
    874 		ipsec6_get_ulp(m, spidx, needport);
    875 		return 0;
    876 #endif
    877 	default:
    878 		KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
    879 		    "unknown IP version %u, ignored.\n", v);
    880 		return EINVAL;
    881 	}
    882 }
    883 
    884 static void
    885 ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
    886 {
    887 	u_int8_t nxt;
    888 	int off;
    889 
    890 	KASSERT(m != NULL);
    891 	KASSERTMSG(m->m_pkthdr.len >= sizeof(struct ip), "packet too short");
    892 
    893 	/* NB: ip_input() flips it into host endian XXX need more checking */
    894 	if (m->m_len >= sizeof(struct ip)) {
    895 		struct ip *ip = mtod(m, struct ip *);
    896 		if (ip->ip_off & htons(IP_MF | IP_OFFMASK))
    897 			goto done;
    898 		off = ip->ip_hl << 2;
    899 		nxt = ip->ip_p;
    900 	} else {
    901 		struct ip ih;
    902 
    903 		m_copydata(m, 0, sizeof(struct ip), &ih);
    904 		if (ih.ip_off & htons(IP_MF | IP_OFFMASK))
    905 			goto done;
    906 		off = ih.ip_hl << 2;
    907 		nxt = ih.ip_p;
    908 	}
    909 
    910 	while (off < m->m_pkthdr.len) {
    911 		struct ip6_ext ip6e;
    912 		struct tcphdr th;
    913 		struct udphdr uh;
    914 		struct icmp icmph;
    915 
    916 		switch (nxt) {
    917 		case IPPROTO_TCP:
    918 			spidx->ul_proto = nxt;
    919 			if (!needport)
    920 				goto done_proto;
    921 			if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
    922 				goto done;
    923 			m_copydata(m, off, sizeof(th), &th);
    924 			spidx->src.sin.sin_port = th.th_sport;
    925 			spidx->dst.sin.sin_port = th.th_dport;
    926 			return;
    927 		case IPPROTO_UDP:
    928 			spidx->ul_proto = nxt;
    929 			if (!needport)
    930 				goto done_proto;
    931 			if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
    932 				goto done;
    933 			m_copydata(m, off, sizeof(uh), &uh);
    934 			spidx->src.sin.sin_port = uh.uh_sport;
    935 			spidx->dst.sin.sin_port = uh.uh_dport;
    936 			return;
    937 		case IPPROTO_AH:
    938 			if (off + sizeof(ip6e) > m->m_pkthdr.len)
    939 				goto done;
    940 			/* XXX sigh, this works but is totally bogus */
    941 			m_copydata(m, off, sizeof(ip6e), &ip6e);
    942 			off += (ip6e.ip6e_len + 2) << 2;
    943 			nxt = ip6e.ip6e_nxt;
    944 			break;
    945 		case IPPROTO_ICMP:
    946 			spidx->ul_proto = nxt;
    947 			if (off + sizeof(struct icmp) > m->m_pkthdr.len)
    948 				goto done;
    949 			m_copydata(m, off, sizeof(icmph), &icmph);
    950 			((struct sockaddr_in *)&spidx->src)->sin_port =
    951 			    htons((uint16_t)icmph.icmp_type);
    952 			((struct sockaddr_in *)&spidx->dst)->sin_port =
    953 			    htons((uint16_t)icmph.icmp_code);
    954 			return;
    955 		default:
    956 			/* XXX intermediate headers??? */
    957 			spidx->ul_proto = nxt;
    958 			goto done_proto;
    959 		}
    960 	}
    961 done:
    962 	spidx->ul_proto = IPSEC_ULPROTO_ANY;
    963 done_proto:
    964 	spidx->src.sin.sin_port = IPSEC_PORT_ANY;
    965 	spidx->dst.sin.sin_port = IPSEC_PORT_ANY;
    966 }
    967 
    968 static int
    969 ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
    970 {
    971 	static const struct sockaddr_in template = {
    972 		sizeof(struct sockaddr_in),
    973 		AF_INET,
    974 		0, { 0 }, { 0, 0, 0, 0, 0, 0, 0, 0 }
    975 	};
    976 
    977 	spidx->src.sin = template;
    978 	spidx->dst.sin = template;
    979 
    980 	if (m->m_len < sizeof(struct ip)) {
    981 		m_copydata(m, offsetof(struct ip, ip_src),
    982 		    sizeof(struct in_addr), &spidx->src.sin.sin_addr);
    983 		m_copydata(m, offsetof(struct ip, ip_dst),
    984 		    sizeof(struct in_addr), &spidx->dst.sin.sin_addr);
    985 	} else {
    986 		struct ip *ip = mtod(m, struct ip *);
    987 		spidx->src.sin.sin_addr = ip->ip_src;
    988 		spidx->dst.sin.sin_addr = ip->ip_dst;
    989 	}
    990 
    991 	spidx->prefs = sizeof(struct in_addr) << 3;
    992 	spidx->prefd = sizeof(struct in_addr) << 3;
    993 
    994 	return 0;
    995 }
    996 
    997 #ifdef INET6
    998 static void
    999 ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
   1000 {
   1001 	int off, nxt;
   1002 	struct tcphdr th;
   1003 	struct udphdr uh;
   1004 	struct icmp6_hdr icmph;
   1005 
   1006 	KASSERT(m != NULL);
   1007 
   1008 	if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) {
   1009 		kdebug_mbuf(__func__, m);
   1010 	}
   1011 
   1012 	/* set default */
   1013 	spidx->ul_proto = IPSEC_ULPROTO_ANY;
   1014 	((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
   1015 	((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
   1016 
   1017 	nxt = -1;
   1018 	off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
   1019 	if (off < 0 || m->m_pkthdr.len < off)
   1020 		return;
   1021 
   1022 	switch (nxt) {
   1023 	case IPPROTO_TCP:
   1024 		spidx->ul_proto = nxt;
   1025 		if (!needport)
   1026 			break;
   1027 		if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
   1028 			break;
   1029 		m_copydata(m, off, sizeof(th), &th);
   1030 		((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
   1031 		((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
   1032 		break;
   1033 	case IPPROTO_UDP:
   1034 		spidx->ul_proto = nxt;
   1035 		if (!needport)
   1036 			break;
   1037 		if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
   1038 			break;
   1039 		m_copydata(m, off, sizeof(uh), &uh);
   1040 		((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
   1041 		((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
   1042 		break;
   1043 	case IPPROTO_ICMPV6:
   1044 		spidx->ul_proto = nxt;
   1045 		if (off + sizeof(struct icmp6_hdr) > m->m_pkthdr.len)
   1046 			break;
   1047 		m_copydata(m, off, sizeof(icmph), &icmph);
   1048 		((struct sockaddr_in6 *)&spidx->src)->sin6_port =
   1049 		    htons((uint16_t)icmph.icmp6_type);
   1050 		((struct sockaddr_in6 *)&spidx->dst)->sin6_port =
   1051 		    htons((uint16_t)icmph.icmp6_code);
   1052 		break;
   1053 	default:
   1054 		/* XXX intermediate headers??? */
   1055 		spidx->ul_proto = nxt;
   1056 		break;
   1057 	}
   1058 }
   1059 
   1060 static int
   1061 ipsec6_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
   1062 {
   1063 	struct ip6_hdr *ip6 = NULL;
   1064 	struct ip6_hdr ip6buf;
   1065 	struct sockaddr_in6 *sin6;
   1066 
   1067 	if (m->m_len >= sizeof(*ip6)) {
   1068 		ip6 = mtod(m, struct ip6_hdr *);
   1069 	} else {
   1070 		m_copydata(m, 0, sizeof(ip6buf), &ip6buf);
   1071 		ip6 = &ip6buf;
   1072 	}
   1073 
   1074 	sin6 = (struct sockaddr_in6 *)&spidx->src;
   1075 	memset(sin6, 0, sizeof(*sin6));
   1076 	sin6->sin6_family = AF_INET6;
   1077 	sin6->sin6_len = sizeof(struct sockaddr_in6);
   1078 	memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src));
   1079 	if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
   1080 		sin6->sin6_addr.s6_addr16[1] = 0;
   1081 		sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
   1082 	}
   1083 	spidx->prefs = sizeof(struct in6_addr) << 3;
   1084 
   1085 	sin6 = (struct sockaddr_in6 *)&spidx->dst;
   1086 	memset(sin6, 0, sizeof(*sin6));
   1087 	sin6->sin6_family = AF_INET6;
   1088 	sin6->sin6_len = sizeof(struct sockaddr_in6);
   1089 	memcpy(&sin6->sin6_addr, &ip6->ip6_dst, sizeof(ip6->ip6_dst));
   1090 	if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
   1091 		sin6->sin6_addr.s6_addr16[1] = 0;
   1092 		sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
   1093 	}
   1094 	spidx->prefd = sizeof(struct in6_addr) << 3;
   1095 
   1096 	return 0;
   1097 }
   1098 #endif
   1099 
   1100 static void
   1101 ipsec_delpcbpolicy(struct inpcbpolicy *p)
   1102 {
   1103 
   1104 	kmem_intr_free(p, sizeof(*p));
   1105 }
   1106 
   1107 int
   1108 ipsec_init_pcbpolicy(struct socket *so, struct inpcbpolicy **policy)
   1109 {
   1110 	struct inpcbpolicy *new;
   1111 
   1112 	KASSERT(so != NULL);
   1113 	KASSERT(policy != NULL);
   1114 
   1115 	new = kmem_intr_zalloc(sizeof(*new), KM_NOSLEEP);
   1116 	if (new == NULL) {
   1117 		IPSECLOG(LOG_DEBUG, "No more memory.\n");
   1118 		return ENOBUFS;
   1119 	}
   1120 
   1121 	if (IPSEC_PRIVILEGED_SO(so))
   1122 		new->priv = 1;
   1123 	else
   1124 		new->priv = 0;
   1125 
   1126 	/*
   1127 	 * Set dummy SPs. Actual SPs will be allocated later if needed.
   1128 	 */
   1129 	new->sp_in = &ipsec_dummy_sp;
   1130 	new->sp_out = &ipsec_dummy_sp;
   1131 
   1132 	*policy = new;
   1133 
   1134 	return 0;
   1135 }
   1136 
   1137 static void
   1138 ipsec_destroy_policy(struct secpolicy *sp)
   1139 {
   1140 
   1141 	if (sp == &ipsec_dummy_sp) {
   1142 		; /* It's dummy. No need to free it. */
   1143 	} else {
   1144 		/*
   1145 		 * We cannot destroy here because it can be called in
   1146 		 * softint. So mark the SP as DEAD and let the timer
   1147 		 * destroy it. See key_timehandler_spd.
   1148 		 */
   1149 		sp->state = IPSEC_SPSTATE_DEAD;
   1150 	}
   1151 }
   1152 
   1153 int
   1154 ipsec_set_policy(void *inp, int optname, const void *request, size_t len,
   1155     kauth_cred_t cred)
   1156 {
   1157 	struct inpcb_hdr *inph = (struct inpcb_hdr *)inp;
   1158 	const struct sadb_x_policy *xpl;
   1159 	struct secpolicy *newsp, *oldsp;
   1160 	struct secpolicy **policy;
   1161 	int error;
   1162 
   1163 	KASSERT(!cpu_softintr_p());
   1164 	KASSERT(inph != NULL);
   1165 	KASSERT(inph_locked(inph));
   1166 	KASSERT(request != NULL);
   1167 
   1168 	if (len < sizeof(*xpl))
   1169 		return EINVAL;
   1170 	xpl = (const struct sadb_x_policy *)request;
   1171 
   1172 	KASSERT(inph->inph_sp != NULL);
   1173 
   1174 	/* select direction */
   1175 	switch (xpl->sadb_x_policy_dir) {
   1176 	case IPSEC_DIR_INBOUND:
   1177 		policy = &inph->inph_sp->sp_in;
   1178 		break;
   1179 	case IPSEC_DIR_OUTBOUND:
   1180 		policy = &inph->inph_sp->sp_out;
   1181 		break;
   1182 	default:
   1183 		IPSECLOG(LOG_ERR, "invalid direction=%u\n",
   1184 		    xpl->sadb_x_policy_dir);
   1185 		return EINVAL;
   1186 	}
   1187 
   1188 	/* sanity check. */
   1189 	if (policy == NULL || *policy == NULL)
   1190 		return EINVAL;
   1191 
   1192 	if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) {
   1193 		kdebug_sadb_xpolicy("set passed policy", request);
   1194 	}
   1195 
   1196 	/* check policy type */
   1197 	/* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
   1198 	if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD ||
   1199 	    xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
   1200 		return EINVAL;
   1201 
   1202 	/* check privileged socket */
   1203 	if (xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS) {
   1204 		error = kauth_authorize_network(cred, KAUTH_NETWORK_IPSEC,
   1205 		    KAUTH_REQ_NETWORK_IPSEC_BYPASS, NULL, NULL, NULL);
   1206 		if (error)
   1207 			return error;
   1208 	}
   1209 
   1210 	/* allocation new SP entry */
   1211 	if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
   1212 		return error;
   1213 
   1214 	key_init_sp(newsp);
   1215 	newsp->created = time_uptime;
   1216 	/* Insert the global list for SPs for sockets */
   1217 	key_socksplist_add(newsp);
   1218 
   1219 	/* clear old SP and set new SP */
   1220 	oldsp = *policy;
   1221 	*policy = newsp;
   1222 	ipsec_destroy_policy(oldsp);
   1223 
   1224 	if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) {
   1225 		printf("%s: new policy\n", __func__);
   1226 		kdebug_secpolicy(newsp);
   1227 	}
   1228 
   1229 	return 0;
   1230 }
   1231 
   1232 int
   1233 ipsec_get_policy(void *inp, const void *request, size_t len,
   1234     struct mbuf **mp)
   1235 {
   1236 	struct inpcb_hdr *inph = (struct inpcb_hdr *)inp;
   1237 	const struct sadb_x_policy *xpl;
   1238 	struct secpolicy *policy;
   1239 
   1240 	/* sanity check. */
   1241 	if (inph == NULL || request == NULL || mp == NULL)
   1242 		return EINVAL;
   1243 	KASSERT(inph->inph_sp != NULL);
   1244 	if (len < sizeof(*xpl))
   1245 		return EINVAL;
   1246 	xpl = (const struct sadb_x_policy *)request;
   1247 
   1248 	/* select direction */
   1249 	switch (xpl->sadb_x_policy_dir) {
   1250 	case IPSEC_DIR_INBOUND:
   1251 		policy = inph->inph_sp->sp_in;
   1252 		break;
   1253 	case IPSEC_DIR_OUTBOUND:
   1254 		policy = inph->inph_sp->sp_out;
   1255 		break;
   1256 	default:
   1257 		IPSECLOG(LOG_ERR, "invalid direction=%u\n",
   1258 		    xpl->sadb_x_policy_dir);
   1259 		return EINVAL;
   1260 	}
   1261 
   1262 	if (policy == NULL)
   1263 		return EINVAL;
   1264 
   1265 	*mp = key_sp2msg(policy, M_NOWAIT);
   1266 	if (!*mp) {
   1267 		IPSECLOG(LOG_DEBUG, "No more memory.\n");
   1268 		return ENOBUFS;
   1269 	}
   1270 
   1271 	if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) {
   1272 		kdebug_mbuf(__func__, *mp);
   1273 	}
   1274 
   1275 	return 0;
   1276 }
   1277 
   1278 int
   1279 ipsec_delete_pcbpolicy(void *inp)
   1280 {
   1281 	struct inpcb_hdr *inph = (struct inpcb_hdr *)inp;
   1282 
   1283 	KASSERT(inph != NULL);
   1284 
   1285 	if (inph->inph_sp == NULL)
   1286 		return 0;
   1287 
   1288 	if (inph->inph_sp->sp_in != NULL)
   1289 		ipsec_destroy_policy(inph->inph_sp->sp_in);
   1290 
   1291 	if (inph->inph_sp->sp_out != NULL)
   1292 		ipsec_destroy_policy(inph->inph_sp->sp_out);
   1293 
   1294 	ipsec_invalpcbcache(inph->inph_sp, IPSEC_DIR_ANY);
   1295 
   1296 	ipsec_delpcbpolicy(inph->inph_sp);
   1297 	inph->inph_sp = NULL;
   1298 
   1299 	return 0;
   1300 }
   1301 
   1302 /*
   1303  * Return the current level (either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE).
   1304  */
   1305 u_int
   1306 ipsec_get_reqlevel(const struct ipsecrequest *isr)
   1307 {
   1308 	u_int level = 0;
   1309 	u_int esp_trans_deflev, esp_net_deflev;
   1310 	u_int ah_trans_deflev, ah_net_deflev;
   1311 
   1312 	KASSERT(isr != NULL);
   1313 	KASSERT(isr->sp != NULL);
   1314 	KASSERTMSG(
   1315 	    isr->sp->spidx.src.sa.sa_family == isr->sp->spidx.dst.sa.sa_family,
   1316 	    "af family mismatch, src %u, dst %u",
   1317 	    isr->sp->spidx.src.sa.sa_family, isr->sp->spidx.dst.sa.sa_family);
   1318 
   1319 /* XXX note that we have ipseclog() expanded here - code sync issue */
   1320 #define IPSEC_CHECK_DEFAULT(lev)					\
   1321     (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE		\
   1322     && (lev) != IPSEC_LEVEL_UNIQUE) ?					\
   1323 	(ipsec_debug ? log(LOG_INFO, "fixed system default level " #lev \
   1324 	":%d->%d\n", (lev), IPSEC_LEVEL_REQUIRE) : (void)0),		\
   1325 	(lev) = IPSEC_LEVEL_REQUIRE, (lev)				\
   1326     : (lev))
   1327 
   1328 	/* set default level */
   1329 	switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) {
   1330 #ifdef INET
   1331 	case AF_INET:
   1332 		esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev);
   1333 		esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev);
   1334 		ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev);
   1335 		ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev);
   1336 		break;
   1337 #endif
   1338 #ifdef INET6
   1339 	case AF_INET6:
   1340 		esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev);
   1341 		esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev);
   1342 		ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev);
   1343 		ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev);
   1344 		break;
   1345 #endif
   1346 	default:
   1347 		panic("%s: unknown af %u", __func__,
   1348 		    isr->sp->spidx.src.sa.sa_family);
   1349 	}
   1350 
   1351 #undef IPSEC_CHECK_DEFAULT
   1352 
   1353 	/* set level */
   1354 	switch (isr->level) {
   1355 	case IPSEC_LEVEL_DEFAULT:
   1356 		switch (isr->saidx.proto) {
   1357 		case IPPROTO_ESP:
   1358 			if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
   1359 				level = esp_net_deflev;
   1360 			else
   1361 				level = esp_trans_deflev;
   1362 			break;
   1363 		case IPPROTO_AH:
   1364 			if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
   1365 				level = ah_net_deflev;
   1366 			else
   1367 				level = ah_trans_deflev;
   1368 			break;
   1369 		case IPPROTO_IPCOMP:
   1370 			/*
   1371 			 * we don't really care, as IPcomp document says that
   1372 			 * we shouldn't compress small packets
   1373 			 */
   1374 			level = IPSEC_LEVEL_USE;
   1375 			break;
   1376 		default:
   1377 			panic("%s: Illegal protocol defined %u", __func__,
   1378 			    isr->saidx.proto);
   1379 		}
   1380 		break;
   1381 
   1382 	case IPSEC_LEVEL_USE:
   1383 	case IPSEC_LEVEL_REQUIRE:
   1384 		level = isr->level;
   1385 		break;
   1386 	case IPSEC_LEVEL_UNIQUE:
   1387 		level = IPSEC_LEVEL_REQUIRE;
   1388 		break;
   1389 
   1390 	default:
   1391 		panic("%s: Illegal IPsec level %u", __func__, isr->level);
   1392 	}
   1393 
   1394 	return level;
   1395 }
   1396 
   1397 /*
   1398  * Check security policy requirements against the actual packet contents.
   1399  *
   1400  * If the SP requires an IPsec packet, and the packet was neither AH nor ESP,
   1401  * then kick it.
   1402  */
   1403 static int
   1404 ipsec_sp_reject(const struct secpolicy *sp, const struct mbuf *m)
   1405 {
   1406 	struct ipsecrequest *isr;
   1407 
   1408 	if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) {
   1409 		printf("%s: using SP\n", __func__);
   1410 		kdebug_secpolicy(sp);
   1411 	}
   1412 
   1413 	/* check policy */
   1414 	switch (sp->policy) {
   1415 	case IPSEC_POLICY_DISCARD:
   1416 		return 1;
   1417 	case IPSEC_POLICY_BYPASS:
   1418 	case IPSEC_POLICY_NONE:
   1419 		return 0;
   1420 	}
   1421 
   1422 	KASSERTMSG(sp->policy == IPSEC_POLICY_IPSEC,
   1423 	    "invalid policy %u", sp->policy);
   1424 
   1425 	/* XXX should compare policy against ipsec header history */
   1426 
   1427 	for (isr = sp->req; isr != NULL; isr = isr->next) {
   1428 		if (ipsec_get_reqlevel(isr) != IPSEC_LEVEL_REQUIRE)
   1429 			continue;
   1430 		switch (isr->saidx.proto) {
   1431 		case IPPROTO_ESP:
   1432 			if ((m->m_flags & M_DECRYPTED) == 0) {
   1433 				KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
   1434 				    "ESP m_flags:%x\n", m->m_flags);
   1435 				return 1;
   1436 			}
   1437 			break;
   1438 		case IPPROTO_AH:
   1439 			if ((m->m_flags & M_AUTHIPHDR) == 0) {
   1440 				KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
   1441 				    "AH m_flags:%x\n", m->m_flags);
   1442 				return 1;
   1443 			}
   1444 			break;
   1445 		case IPPROTO_IPCOMP:
   1446 			/*
   1447 			 * We don't really care, as IPcomp document
   1448 			 * says that we shouldn't compress small
   1449 			 * packets, IPComp policy should always be
   1450 			 * treated as being in "use" level.
   1451 			 */
   1452 			break;
   1453 		}
   1454 	}
   1455 
   1456 	return 0;
   1457 }
   1458 
   1459 /*
   1460  * Check security policy requirements.
   1461  */
   1462 int
   1463 ipsec_in_reject(struct mbuf *m, void *inp)
   1464 {
   1465 	struct inpcb_hdr *inph = (struct inpcb_hdr *)inp;
   1466 	struct secpolicy *sp;
   1467 	int error;
   1468 	int result;
   1469 
   1470 	KASSERT(m != NULL);
   1471 
   1472 	if (inph == NULL)
   1473 		sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
   1474 		    IP_FORWARDING, &error);
   1475 	else
   1476 		sp = ipsec_getpolicybysock(m, IPSEC_DIR_INBOUND,
   1477 		    inph, &error);
   1478 
   1479 	if (sp != NULL) {
   1480 		result = ipsec_sp_reject(sp, m);
   1481 		if (result)
   1482 			IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
   1483 		KEY_SP_UNREF(&sp);
   1484 	} else {
   1485 		result = 0;
   1486 	}
   1487 	return result;
   1488 }
   1489 
   1490 /*
   1491  * Compute the byte size to be occupied by the IPsec header. If it is
   1492  * tunneled, it includes the size of outer IP header.
   1493  */
   1494 static size_t
   1495 ipsec_sp_hdrsiz(const struct secpolicy *sp, const struct mbuf *m)
   1496 {
   1497 	struct ipsecrequest *isr;
   1498 	size_t siz;
   1499 
   1500 	if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) {
   1501 		printf("%s: using SP\n", __func__);
   1502 		kdebug_secpolicy(sp);
   1503 	}
   1504 
   1505 	switch (sp->policy) {
   1506 	case IPSEC_POLICY_DISCARD:
   1507 	case IPSEC_POLICY_BYPASS:
   1508 	case IPSEC_POLICY_NONE:
   1509 		return 0;
   1510 	}
   1511 
   1512 	KASSERTMSG(sp->policy == IPSEC_POLICY_IPSEC,
   1513 	    "invalid policy %u", sp->policy);
   1514 
   1515 	siz = 0;
   1516 	for (isr = sp->req; isr != NULL; isr = isr->next) {
   1517 		size_t clen = 0;
   1518 		struct secasvar *sav;
   1519 
   1520 		switch (isr->saidx.proto) {
   1521 		case IPPROTO_ESP:
   1522 			sav = ipsec_lookup_sa(isr, m);
   1523 			if (sav != NULL) {
   1524 				clen = esp_hdrsiz(sav);
   1525 				KEY_SA_UNREF(&sav);
   1526 			} else
   1527 				clen = esp_hdrsiz(NULL);
   1528 			break;
   1529 		case IPPROTO_AH:
   1530 			sav = ipsec_lookup_sa(isr, m);
   1531 			if (sav != NULL) {
   1532 				clen = ah_hdrsiz(sav);
   1533 				KEY_SA_UNREF(&sav);
   1534 			} else
   1535 				clen = ah_hdrsiz(NULL);
   1536 			break;
   1537 		case IPPROTO_IPCOMP:
   1538 			clen = sizeof(struct ipcomp);
   1539 			break;
   1540 		}
   1541 
   1542 		if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
   1543 			switch (isr->saidx.dst.sa.sa_family) {
   1544 			case AF_INET:
   1545 				clen += sizeof(struct ip);
   1546 				break;
   1547 #ifdef INET6
   1548 			case AF_INET6:
   1549 				clen += sizeof(struct ip6_hdr);
   1550 				break;
   1551 #endif
   1552 			default:
   1553 				IPSECLOG(LOG_ERR, "unknown AF %d in "
   1554 				    "IPsec tunnel SA\n",
   1555 				    ((const struct sockaddr *)&isr->saidx.dst)
   1556 				    ->sa_family);
   1557 				break;
   1558 			}
   1559 		}
   1560 		siz += clen;
   1561 	}
   1562 
   1563 	return siz;
   1564 }
   1565 
   1566 size_t
   1567 ipsec_hdrsiz(struct mbuf *m, u_int dir, void *inp)
   1568 {
   1569 	struct inpcb_hdr *inph = (struct inpcb_hdr *)inp;
   1570 	struct secpolicy *sp;
   1571 	int error;
   1572 	size_t size;
   1573 
   1574 	KASSERT(m != NULL);
   1575 	KASSERTMSG(inph == NULL || inph->inph_socket != NULL,
   1576 	    "socket w/o inpcb");
   1577 
   1578 	if (inph == NULL)
   1579 		sp = ipsec_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
   1580 	else
   1581 		sp = ipsec_getpolicybysock(m, dir, inph, &error);
   1582 
   1583 	if (sp != NULL) {
   1584 		size = ipsec_sp_hdrsiz(sp, m);
   1585 		KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DATA, "size:%zu.\n", size);
   1586 		KEY_SP_UNREF(&sp);
   1587 	} else {
   1588 		size = 0;
   1589 	}
   1590 
   1591 	return size;
   1592 }
   1593 
   1594 /*
   1595  * Check the variable replay window.
   1596  * ipsec_chkreplay() performs replay check before ICV verification.
   1597  * ipsec_updatereplay() updates replay bitmap.  This must be called after
   1598  * ICV verification (it also performs replay check, which is usually done
   1599  * beforehand).
   1600  * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
   1601  *
   1602  * based on RFC 2401.
   1603  */
   1604 int
   1605 ipsec_chkreplay(u_int32_t seq, const struct secasvar *sav)
   1606 {
   1607 	const struct secreplay *replay;
   1608 	u_int32_t diff;
   1609 	int fr;
   1610 	u_int32_t wsizeb;	/* constant: bits of window size */
   1611 	int frlast;		/* constant: last frame */
   1612 
   1613 	IPSEC_SPLASSERT_SOFTNET(__func__);
   1614 
   1615 	KASSERT(sav != NULL);
   1616 	KASSERT(sav->replay != NULL);
   1617 
   1618 	replay = sav->replay;
   1619 
   1620 	if (replay->wsize == 0)
   1621 		return 1;	/* no need to check replay. */
   1622 
   1623 	/* constant */
   1624 	frlast = replay->wsize - 1;
   1625 	wsizeb = replay->wsize << 3;
   1626 
   1627 	/* sequence number of 0 is invalid */
   1628 	if (seq == 0)
   1629 		return 0;
   1630 
   1631 	/* first time is always okay */
   1632 	if (replay->count == 0)
   1633 		return 1;
   1634 
   1635 	if (seq > replay->lastseq) {
   1636 		/* larger sequences are okay */
   1637 		return 1;
   1638 	} else {
   1639 		/* seq is equal or less than lastseq. */
   1640 		diff = replay->lastseq - seq;
   1641 
   1642 		/* over range to check, i.e. too old or wrapped */
   1643 		if (diff >= wsizeb)
   1644 			return 0;
   1645 
   1646 		fr = frlast - diff / 8;
   1647 
   1648 		/* this packet already seen ? */
   1649 		if ((replay->bitmap)[fr] & (1 << (diff % 8)))
   1650 			return 0;
   1651 
   1652 		/* out of order but good */
   1653 		return 1;
   1654 	}
   1655 }
   1656 
   1657 /*
   1658  * check replay counter whether to update or not.
   1659  * OUT:	0:	OK
   1660  *	1:	NG
   1661  */
   1662 int
   1663 ipsec_updatereplay(u_int32_t seq, const struct secasvar *sav)
   1664 {
   1665 	struct secreplay *replay;
   1666 	u_int32_t diff;
   1667 	int fr;
   1668 	u_int32_t wsizeb;	/* constant: bits of window size */
   1669 	int frlast;		/* constant: last frame */
   1670 
   1671 	IPSEC_SPLASSERT_SOFTNET(__func__);
   1672 
   1673 	KASSERT(sav != NULL);
   1674 	KASSERT(sav->replay != NULL);
   1675 
   1676 	replay = sav->replay;
   1677 
   1678 	if (replay->wsize == 0)
   1679 		goto ok;	/* no need to check replay. */
   1680 
   1681 	/* constant */
   1682 	frlast = replay->wsize - 1;
   1683 	wsizeb = replay->wsize << 3;
   1684 
   1685 	/* sequence number of 0 is invalid */
   1686 	if (seq == 0)
   1687 		return 1;
   1688 
   1689 	/* first time */
   1690 	if (replay->count == 0) {
   1691 		replay->lastseq = seq;
   1692 		memset(replay->bitmap, 0, replay->wsize);
   1693 		(replay->bitmap)[frlast] = 1;
   1694 		goto ok;
   1695 	}
   1696 
   1697 	if (seq > replay->lastseq) {
   1698 		/* seq is larger than lastseq. */
   1699 		diff = seq - replay->lastseq;
   1700 
   1701 		/* new larger sequence number */
   1702 		if (diff < wsizeb) {
   1703 			/* In window */
   1704 			/* set bit for this packet */
   1705 			vshiftl(replay->bitmap, diff, replay->wsize);
   1706 			(replay->bitmap)[frlast] |= 1;
   1707 		} else {
   1708 			/* this packet has a "way larger" */
   1709 			memset(replay->bitmap, 0, replay->wsize);
   1710 			(replay->bitmap)[frlast] = 1;
   1711 		}
   1712 		replay->lastseq = seq;
   1713 
   1714 		/* larger is good */
   1715 	} else {
   1716 		/* seq is equal or less than lastseq. */
   1717 		diff = replay->lastseq - seq;
   1718 
   1719 		/* over range to check, i.e. too old or wrapped */
   1720 		if (diff >= wsizeb)
   1721 			return 1;
   1722 
   1723 		fr = frlast - diff / 8;
   1724 
   1725 		/* this packet already seen ? */
   1726 		if ((replay->bitmap)[fr] & (1 << (diff % 8)))
   1727 			return 1;
   1728 
   1729 		/* mark as seen */
   1730 		(replay->bitmap)[fr] |= (1 << (diff % 8));
   1731 
   1732 		/* out of order but good */
   1733 	}
   1734 
   1735 ok:
   1736 	if (replay->count == ~0) {
   1737 		char buf[IPSEC_LOGSASTRLEN];
   1738 
   1739 		/* set overflow flag */
   1740 		replay->overflow++;
   1741 
   1742 		/* don't increment, no more packets accepted */
   1743 		if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
   1744 			return 1;
   1745 
   1746 		IPSECLOG(LOG_WARNING, "replay counter made %d cycle. %s\n",
   1747 		    replay->overflow, ipsec_logsastr(sav, buf, sizeof(buf)));
   1748 	}
   1749 
   1750 	replay->count++;
   1751 
   1752 	return 0;
   1753 }
   1754 
   1755 /*
   1756  * shift variable length buffer to left.
   1757  * IN:	bitmap: pointer to the buffer
   1758  *	nbit:	the number of to shift.
   1759  *	wsize:	buffer size (bytes).
   1760  */
   1761 static void
   1762 vshiftl(unsigned char *bitmap, int nbit, int wsize)
   1763 {
   1764 	int s, j, i;
   1765 	unsigned char over;
   1766 
   1767 	for (j = 0; j < nbit; j += 8) {
   1768 		s = (nbit - j < 8) ? (nbit - j): 8;
   1769 		bitmap[0] <<= s;
   1770 		for (i = 1; i < wsize; i++) {
   1771 			over = (bitmap[i] >> (8 - s));
   1772 			bitmap[i] <<= s;
   1773 			bitmap[i-1] |= over;
   1774 		}
   1775 	}
   1776 
   1777 	return;
   1778 }
   1779 
   1780 /* Return a printable string for the address. */
   1781 const char *
   1782 ipsec_address(const union sockaddr_union *sa, char *buf, size_t size)
   1783 {
   1784 	switch (sa->sa.sa_family) {
   1785 	case AF_INET:
   1786 		in_print(buf, size, &sa->sin.sin_addr);
   1787 		return buf;
   1788 #if INET6
   1789 	case AF_INET6:
   1790 		in6_print(buf, size, &sa->sin6.sin6_addr);
   1791 		return buf;
   1792 #endif
   1793 	default:
   1794 		return "(unknown address family)";
   1795 	}
   1796 }
   1797 
   1798 const char *
   1799 ipsec_logsastr(const struct secasvar *sav, char *buf, size_t size)
   1800 {
   1801 	const struct secasindex *saidx = &sav->sah->saidx;
   1802 	char sbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
   1803 
   1804 	KASSERTMSG(saidx->src.sa.sa_family == saidx->dst.sa.sa_family,
   1805 	    "af family mismatch, src %u, dst %u",
   1806 	    saidx->src.sa.sa_family, saidx->dst.sa.sa_family);
   1807 
   1808 	snprintf(buf, size, "SA(SPI=%u src=%s dst=%s)",
   1809 	    (u_int32_t)ntohl(sav->spi),
   1810 	    ipsec_address(&saidx->src, sbuf, sizeof(sbuf)),
   1811 	    ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)));
   1812 
   1813 	return buf;
   1814 }
   1815 
   1816 #ifdef INET6
   1817 struct secpolicy *
   1818 ipsec6_check_policy(struct mbuf *m, struct in6pcb *in6p, int flags,
   1819     int *needipsecp, int *errorp)
   1820 {
   1821 	struct secpolicy *sp = NULL;
   1822 	int s;
   1823 	int error = 0;
   1824 	int needipsec = 0;
   1825 
   1826 	if (ipsec_outdone(m)) {
   1827 		goto skippolicycheck;
   1828 	}
   1829 	s = splsoftnet();
   1830 	if (in6p && ipsec_pcb_skip_ipsec(in6p->in6p_sp, IPSEC_DIR_OUTBOUND)) {
   1831 		splx(s);
   1832 		goto skippolicycheck;
   1833 	}
   1834 	sp = ipsec_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, in6p);
   1835 	splx(s);
   1836 
   1837 	/*
   1838 	 * There are four return cases:
   1839 	 *	sp != NULL                    apply IPsec policy
   1840 	 *	sp == NULL, error == 0        no IPsec handling needed
   1841 	 *	sp == NULL, error == -EINVAL  discard packet w/o error
   1842 	 *	sp == NULL, error != 0        discard packet, report error
   1843 	 */
   1844 	if (sp == NULL) {
   1845 		needipsec = 0;
   1846 	} else {
   1847 		needipsec = 1;
   1848 	}
   1849 
   1850 skippolicycheck:
   1851 	*errorp = error;
   1852 	*needipsecp = needipsec;
   1853 	return sp;
   1854 }
   1855 
   1856 int
   1857 ipsec6_input(struct mbuf *m)
   1858 {
   1859 	int s, error;
   1860 
   1861 	s = splsoftnet();
   1862 	error = ipsec_in_reject(m, NULL);
   1863 	splx(s);
   1864 	if (error) {
   1865 		return EINVAL;
   1866 	}
   1867 
   1868 	return 0;
   1869 }
   1870 #endif /* INET6 */
   1871 
   1872 /*
   1873  * -----------------------------------------------------------------------------
   1874  */
   1875 
   1876 /* XXX this stuff doesn't belong here... */
   1877 
   1878 static struct xformsw *xforms = NULL;
   1879 
   1880 /*
   1881  * Register a transform; typically at system startup.
   1882  */
   1883 void
   1884 xform_register(struct xformsw *xsp)
   1885 {
   1886 	xsp->xf_next = xforms;
   1887 	xforms = xsp;
   1888 }
   1889 
   1890 /*
   1891  * Initialize transform support in an sav.
   1892  */
   1893 int
   1894 xform_init(struct secasvar *sav, int xftype)
   1895 {
   1896 	struct xformsw *xsp;
   1897 
   1898 	if (sav->tdb_xform != NULL)	/* previously initialized */
   1899 		return 0;
   1900 	for (xsp = xforms; xsp; xsp = xsp->xf_next)
   1901 		if (xsp->xf_type == xftype)
   1902 			return (*xsp->xf_init)(sav, xsp);
   1903 
   1904 	IPSECLOG(LOG_DEBUG, "no match for xform type %d\n", xftype);
   1905 	return EINVAL;
   1906 }
   1907 
   1908 void
   1909 nat_t_ports_get(struct mbuf *m, u_int16_t *dport, u_int16_t *sport)
   1910 {
   1911 	struct m_tag *tag;
   1912 
   1913 	if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL))) {
   1914 		*sport = ((u_int16_t *)(tag + 1))[0];
   1915 		*dport = ((u_int16_t *)(tag + 1))[1];
   1916 	} else
   1917 		*sport = *dport = 0;
   1918 }
   1919 
   1920 /*
   1921  * XXXJRT This should be done as a protosw init call.
   1922  */
   1923 void
   1924 ipsec_attach(void)
   1925 {
   1926 
   1927 	ipsec_output_init();
   1928 
   1929 	ipsecstat_percpu = percpu_alloc(sizeof(uint64_t) * IPSEC_NSTATS);
   1930 
   1931 	sysctl_net_inet_ipsec_setup(NULL);
   1932 #ifdef INET6
   1933 	sysctl_net_inet6_ipsec6_setup(NULL);
   1934 #endif
   1935 
   1936 	ah_attach();
   1937 	esp_attach();
   1938 	ipcomp_attach();
   1939 	ipe4_attach();
   1940 #ifdef TCP_SIGNATURE
   1941 	tcpsignature_attach();
   1942 #endif
   1943 }
   1944