1 /* $OpenBSD: ip_ipsp.c,v 1.183 2011/05/11 07:37:04 blambert Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de) and 6 * Niklas Hallqvist (niklas@appli.se). 7 * 8 * The original version of this code was written by John Ioannidis 9 * for BSD/OS in Athens, Greece, in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist. 18 * 19 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 20 * Angelos D. Keromytis and Niels Provos. 21 * Copyright (c) 1999 Niklas Hallqvist. 22 * Copyright (c) 2001, Angelos D. Keromytis. 23 * 24 * Permission to use, copy, and modify this software with or without fee 25 * is hereby granted, provided that this entire notice is included in 26 * all copies of any software which is or includes a copy or 27 * modification of this software. 28 * You may use this code under the GNU public license if you so wish. Please 29 * contribute changes back to the authors under this freer than GPL license 30 * so that we may further the use of strong encryption without limitations to 31 * all. 32 * 33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 37 * PURPOSE. 38 */ 39 40 #include "pf.h" 41 #include "pfsync.h" 42 43 #include <sys/param.h> 44 #include <sys/mbuf.h> 45 #include <sys/socket.h> 46 #include <sys/kernel.h> 47 #include <sys/proc.h> 48 #include <sys/sysctl.h> 49 50 #include <net/if.h> 51 #include <net/route.h> 52 53 #if NPF > 0 54 #include <net/pfvar.h> 55 #endif 56 57 #if NPFSYNC > 0 58 #include <net/if_pfsync.h> 59 #endif 60 61 #ifdef INET 62 #include <netinet/in.h> 63 #include <netinet/in_systm.h> 64 #include <netinet/ip.h> 65 #include <netinet/in_pcb.h> 66 #endif /* INET */ 67 68 #ifdef INET6 69 #ifndef INET 70 #include <netinet/in.h> 71 #endif 72 #include <netinet6/in6_var.h> 73 #endif /* INET6 */ 74 75 #include <netinet/ip_ipsp.h> 76 #include <net/pfkeyv2.h> 77 #include <crypto/xform.h> 78 #include <dev/rndvar.h> 79 80 #ifdef DDB 81 #include <ddb/db_output.h> 82 void tdb_hashstats(void); 83 #endif 84 85 #ifdef ENCDEBUG 86 #define DPRINTF(x) if (encdebug) printf x 87 #else 88 #define DPRINTF(x) 89 #endif 90 91 u_int8_t get_sa_require(struct inpcb *); 92 void tdb_rehash(void); 93 void tdb_timeout(void *v); 94 void tdb_firstuse(void *v); 95 void tdb_soft_timeout(void *v); 96 void tdb_soft_firstuse(void *v); 97 int tdb_hash(u_int, u_int32_t, union sockaddr_union *, u_int8_t); 98 99 extern int ipsec_auth_default_level; 100 extern int ipsec_esp_trans_default_level; 101 extern int ipsec_esp_network_default_level; 102 extern int ipsec_ipcomp_default_level; 103 104 extern int encdebug; 105 int ipsec_in_use = 0; 106 u_int64_t ipsec_last_added = 0; 107 108 struct ipsec_policy_head ipsec_policy_head = 109 TAILQ_HEAD_INITIALIZER(ipsec_policy_head); 110 struct ipsec_acquire_head ipsec_acquire_head = 111 TAILQ_HEAD_INITIALIZER(ipsec_acquire_head); 112 113 /* 114 * This is the proper place to define the various encapsulation transforms. 115 */ 116 117 struct xformsw xformsw[] = { 118 #ifdef IPSEC 119 { XF_IP4, 0, "IPv4 Simple Encapsulation", 120 ipe4_attach, ipe4_init, ipe4_zeroize, 121 (int (*)(struct mbuf *, struct tdb *, int, int))ipe4_input, 122 ipip_output, }, 123 { XF_AH, XFT_AUTH, "IPsec AH", 124 ah_attach, ah_init, ah_zeroize, 125 ah_input, ah_output, }, 126 { XF_ESP, XFT_CONF|XFT_AUTH, "IPsec ESP", 127 esp_attach, esp_init, esp_zeroize, 128 esp_input, esp_output, }, 129 { XF_IPCOMP, XFT_COMP, "IPcomp", 130 ipcomp_attach, ipcomp_init, ipcomp_zeroize, 131 ipcomp_input, ipcomp_output, }, 132 #endif /* IPSEC */ 133 #ifdef TCP_SIGNATURE 134 { XF_TCPSIGNATURE, XFT_AUTH, "TCP MD5 Signature Option, RFC 2385", 135 tcp_signature_tdb_attach, tcp_signature_tdb_init, 136 tcp_signature_tdb_zeroize, tcp_signature_tdb_input, 137 tcp_signature_tdb_output, } 138 #endif /* TCP_SIGNATURE */ 139 }; 140 141 struct xformsw *xformswNXFORMSW = &xformsw[nitems(xformsw)]; 142 143 unsigned char ipseczeroes[IPSEC_ZEROES_SIZE]; /* zeroes! */ 144 145 #define TDB_HASHSIZE_INIT 32 146 147 static struct tdb **tdbh = NULL; 148 static struct tdb **tdbaddr = NULL; 149 static struct tdb **tdbsrc = NULL; 150 static u_int tdb_hashmask = TDB_HASHSIZE_INIT - 1; 151 static int tdb_count; 152 153 /* 154 * Our hashing function needs to stir things with a non-zero random multiplier 155 * so we cannot be DoS-attacked via choosing of the data to hash. 156 */ 157 int 158 tdb_hash(u_int rdomain, u_int32_t spi, union sockaddr_union *dst, 159 u_int8_t proto) 160 { 161 static u_int32_t mult1 = 0, mult2 = 0; 162 u_int8_t *ptr = (u_int8_t *) dst; 163 int i, shift; 164 u_int64_t hash; 165 int val32 = 0; 166 167 while (mult1 == 0) 168 mult1 = arc4random(); 169 while (mult2 == 0) 170 mult2 = arc4random(); 171 172 hash = (spi ^ proto ^ rdomain) * mult1; 173 for (i = 0; i < SA_LEN(&dst->sa); i++) { 174 val32 = (val32 << 8) | ptr[i]; 175 if (i % 4 == 3) { 176 hash ^= val32 * mult2; 177 val32 = 0; 178 } 179 } 180 181 if (i % 4 != 0) 182 hash ^= val32 * mult2; 183 184 shift = ffs(tdb_hashmask + 1); 185 while ((hash & ~tdb_hashmask) != 0) 186 hash = (hash >> shift) ^ (hash & tdb_hashmask); 187 188 return hash; 189 } 190 191 /* 192 * Reserve an SPI; the SA is not valid yet though. We use 0 as 193 * an error return value. 194 */ 195 u_int32_t 196 reserve_spi(u_int rdomain, u_int32_t sspi, u_int32_t tspi, 197 union sockaddr_union *src, union sockaddr_union *dst, 198 u_int8_t sproto, int *errval) 199 { 200 struct tdb *tdbp, *exists; 201 u_int32_t spi; 202 int nums, s; 203 204 /* Don't accept ranges only encompassing reserved SPIs. */ 205 if (sproto != IPPROTO_IPCOMP && 206 (tspi < sspi || tspi <= SPI_RESERVED_MAX)) { 207 (*errval) = EINVAL; 208 return 0; 209 } 210 if (sproto == IPPROTO_IPCOMP && (tspi < sspi || 211 tspi <= CPI_RESERVED_MAX || 212 tspi >= CPI_PRIVATE_MIN)) { 213 (*errval) = EINVAL; 214 return 0; 215 } 216 217 /* Limit the range to not include reserved areas. */ 218 if (sspi <= SPI_RESERVED_MAX) 219 sspi = SPI_RESERVED_MAX + 1; 220 221 /* For IPCOMP the CPI is only 16 bits long, what a good idea.... */ 222 223 if (sproto == IPPROTO_IPCOMP) { 224 u_int32_t t; 225 if (sspi >= 0x10000) 226 sspi = 0xffff; 227 if (tspi >= 0x10000) 228 tspi = 0xffff; 229 if (sspi > tspi) { 230 t = sspi; sspi = tspi; tspi = t; 231 } 232 } 233 234 if (sspi == tspi) /* Asking for a specific SPI. */ 235 nums = 1; 236 else 237 nums = 100; /* Arbitrarily chosen */ 238 239 /* allocate ahead of time to avoid potential sleeping race in loop */ 240 tdbp = tdb_alloc(rdomain); 241 242 while (nums--) { 243 if (sspi == tspi) /* Specific SPI asked. */ 244 spi = tspi; 245 else /* Range specified */ 246 spi = sspi + arc4random_uniform(tspi - sspi); 247 248 /* Don't allocate reserved SPIs. */ 249 if (spi >= SPI_RESERVED_MIN && spi <= SPI_RESERVED_MAX) 250 continue; 251 else 252 spi = htonl(spi); 253 254 /* Check whether we're using this SPI already. */ 255 s = spltdb(); 256 exists = gettdb(rdomain, spi, dst, sproto); 257 splx(s); 258 259 if (exists) 260 continue; 261 262 263 tdbp->tdb_spi = spi; 264 bcopy(&dst->sa, &tdbp->tdb_dst.sa, SA_LEN(&dst->sa)); 265 bcopy(&src->sa, &tdbp->tdb_src.sa, SA_LEN(&src->sa)); 266 tdbp->tdb_sproto = sproto; 267 tdbp->tdb_flags |= TDBF_INVALID; /* Mark SA invalid for now. */ 268 tdbp->tdb_satype = SADB_SATYPE_UNSPEC; 269 puttdb(tdbp); 270 271 /* Setup a "silent" expiration (since TDBF_INVALID's set). */ 272 if (ipsec_keep_invalid > 0) { 273 tdbp->tdb_flags |= TDBF_TIMER; 274 tdbp->tdb_exp_timeout = ipsec_keep_invalid; 275 timeout_add_sec(&tdbp->tdb_timer_tmo, 276 ipsec_keep_invalid); 277 } 278 279 return spi; 280 } 281 282 (*errval) = EEXIST; 283 tdb_free(tdbp); 284 return 0; 285 } 286 287 /* 288 * An IPSP SAID is really the concatenation of the SPI found in the 289 * packet, the destination address of the packet and the IPsec protocol. 290 * When we receive an IPSP packet, we need to look up its tunnel descriptor 291 * block, based on the SPI in the packet and the destination address (which 292 * is really one of our addresses if we received the packet! 293 * 294 * Caller is responsible for setting at least spltdb(). 295 */ 296 struct tdb * 297 gettdb(u_int rdomain, u_int32_t spi, union sockaddr_union *dst, u_int8_t proto) 298 { 299 u_int32_t hashval; 300 struct tdb *tdbp; 301 302 if (tdbh == NULL) 303 return (struct tdb *) NULL; 304 305 hashval = tdb_hash(rdomain, spi, dst, proto); 306 307 for (tdbp = tdbh[hashval]; tdbp != NULL; tdbp = tdbp->tdb_hnext) 308 if ((tdbp->tdb_spi == spi) && (tdbp->tdb_sproto == proto) && 309 (tdbp->tdb_rdomain == rdomain) && 310 !bcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa))) 311 break; 312 313 return tdbp; 314 } 315 316 /* 317 * Same as gettdb() but compare SRC as well, so we 318 * use the tdbsrc[] hash table. Setting spi to 0 319 * matches all SPIs. 320 */ 321 struct tdb * 322 gettdbbysrcdst(u_int rdomain, u_int32_t spi, union sockaddr_union *src, 323 union sockaddr_union *dst, u_int8_t proto) 324 { 325 u_int32_t hashval; 326 struct tdb *tdbp; 327 union sockaddr_union su_null; 328 329 if (tdbsrc == NULL) 330 return (struct tdb *) NULL; 331 332 hashval = tdb_hash(rdomain, 0, src, proto); 333 334 for (tdbp = tdbsrc[hashval]; tdbp != NULL; tdbp = tdbp->tdb_snext) 335 if (tdbp->tdb_sproto == proto && 336 (spi == 0 || tdbp->tdb_spi == spi) && 337 (tdbp->tdb_rdomain == rdomain) && 338 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 339 (tdbp->tdb_dst.sa.sa_family == AF_UNSPEC || 340 !bcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa))) && 341 !bcmp(&tdbp->tdb_src, src, SA_LEN(&src->sa))) 342 break; 343 344 if (tdbp != NULL) 345 return (tdbp); 346 347 bzero(&su_null, sizeof(su_null)); 348 su_null.sa.sa_len = sizeof(struct sockaddr); 349 hashval = tdb_hash(rdomain, 0, &su_null, proto); 350 351 for (tdbp = tdbsrc[hashval]; tdbp != NULL; tdbp = tdbp->tdb_snext) 352 if (tdbp->tdb_sproto == proto && 353 (spi == 0 || tdbp->tdb_spi == spi) && 354 (tdbp->tdb_rdomain == rdomain) && 355 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 356 (tdbp->tdb_dst.sa.sa_family == AF_UNSPEC || 357 !bcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa))) && 358 tdbp->tdb_src.sa.sa_family == AF_UNSPEC) 359 break; 360 361 return (tdbp); 362 } 363 364 /* 365 * Check that credentials and IDs match. Return true if so. The t* 366 * range of arguments contains information from TDBs; the p* 367 * range of arguments contains information from policies or 368 * already established TDBs. 369 */ 370 int 371 ipsp_aux_match(struct tdb *tdb, 372 struct ipsec_ref *psrcid, 373 struct ipsec_ref *pdstid, 374 struct ipsec_ref *plcred, 375 struct ipsec_ref *prcred, 376 struct sockaddr_encap *pfilter, 377 struct sockaddr_encap *pfiltermask) 378 { 379 if (psrcid != NULL) 380 if (tdb->tdb_srcid == NULL || 381 !ipsp_ref_match(tdb->tdb_srcid, psrcid)) 382 return 0; 383 384 if (pdstid != NULL) 385 if (tdb->tdb_dstid == NULL || 386 !ipsp_ref_match(tdb->tdb_dstid, pdstid)) 387 return 0; 388 389 if (plcred != NULL) 390 if (tdb->tdb_local_cred == NULL || 391 !ipsp_ref_match(tdb->tdb_local_cred, plcred)) 392 return 0; 393 394 if (prcred != NULL) 395 if (tdb->tdb_remote_cred == NULL || 396 !ipsp_ref_match(tdb->tdb_remote_cred, prcred)) 397 return 0; 398 399 /* Check for filter matches. */ 400 if (tdb->tdb_filter.sen_type) { 401 /* 402 * XXX We should really be doing a subnet-check (see 403 * whether the TDB-associated filter is a subset 404 * of the policy's. For now, an exact match will solve 405 * most problems (all this will do is make every 406 * policy get its own SAs). 407 */ 408 if (bcmp(&tdb->tdb_filter, pfilter, 409 sizeof(struct sockaddr_encap)) || 410 bcmp(&tdb->tdb_filtermask, pfiltermask, 411 sizeof(struct sockaddr_encap))) 412 return 0; 413 } 414 415 return 1; 416 } 417 418 /* 419 * Get an SA given the remote address, the security protocol type, and 420 * the desired IDs. 421 */ 422 struct tdb * 423 gettdbbyaddr(u_int rdomain, union sockaddr_union *dst, u_int8_t sproto, 424 struct ipsec_ref *srcid, struct ipsec_ref *dstid, 425 struct ipsec_ref *local_cred, struct mbuf *m, int af, 426 struct sockaddr_encap *filter, struct sockaddr_encap *filtermask) 427 { 428 u_int32_t hashval; 429 struct tdb *tdbp; 430 431 if (tdbaddr == NULL) 432 return (struct tdb *) NULL; 433 434 hashval = tdb_hash(rdomain, 0, dst, sproto); 435 436 for (tdbp = tdbaddr[hashval]; tdbp != NULL; tdbp = tdbp->tdb_anext) 437 if ((tdbp->tdb_sproto == sproto) && 438 (tdbp->tdb_rdomain == rdomain) && 439 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 440 (!bcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa)))) { 441 /* Do IDs and local credentials match ? */ 442 if (!ipsp_aux_match(tdbp, srcid, dstid, 443 local_cred, NULL, filter, filtermask)) 444 continue; 445 break; 446 } 447 448 return tdbp; 449 } 450 451 /* 452 * Get an SA given the source address, the security protocol type, and 453 * the desired IDs. 454 */ 455 struct tdb * 456 gettdbbysrc(u_int rdomain, union sockaddr_union *src, u_int8_t sproto, 457 struct ipsec_ref *srcid, struct ipsec_ref *dstid, 458 struct mbuf *m, int af, struct sockaddr_encap *filter, 459 struct sockaddr_encap *filtermask) 460 { 461 u_int32_t hashval; 462 struct tdb *tdbp; 463 464 if (tdbsrc == NULL) 465 return (struct tdb *) NULL; 466 467 hashval = tdb_hash(rdomain, 0, src, sproto); 468 469 for (tdbp = tdbsrc[hashval]; tdbp != NULL; tdbp = tdbp->tdb_snext) 470 if ((tdbp->tdb_sproto == sproto) && 471 (tdbp->tdb_rdomain == rdomain) && 472 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 473 (!bcmp(&tdbp->tdb_src, src, SA_LEN(&src->sa)))) { 474 /* Check whether IDs match */ 475 if (!ipsp_aux_match(tdbp, dstid, srcid, NULL, NULL, 476 filter, filtermask)) 477 continue; 478 break; 479 } 480 481 return tdbp; 482 } 483 484 #if DDB 485 486 #define NBUCKETS 16 487 void 488 tdb_hashstats(void) 489 { 490 int i, cnt, buckets[NBUCKETS]; 491 struct tdb *tdbp; 492 493 if (tdbh == NULL) { 494 db_printf("no tdb hash table\n"); 495 return; 496 } 497 498 bzero (buckets, sizeof(buckets)); 499 for (i = 0; i <= tdb_hashmask; i++) { 500 cnt = 0; 501 for (tdbp = tdbh[i]; cnt < NBUCKETS - 1 && tdbp != NULL; 502 tdbp = tdbp->tdb_hnext) 503 cnt++; 504 buckets[cnt]++; 505 } 506 507 db_printf("tdb cnt\t\tbucket cnt\n"); 508 for (i = 0; i < NBUCKETS; i++) 509 if (buckets[i] > 0) 510 db_printf("%d%s\t\t%d\n", i, i == NBUCKETS - 1 ? 511 "+" : "", buckets[i]); 512 } 513 #endif /* DDB */ 514 515 /* 516 * Caller is responsible for setting at least spltdb(). 517 */ 518 int 519 tdb_walk(u_int rdomain, int (*walker)(struct tdb *, void *, int), void *arg) 520 { 521 int i, rval = 0; 522 struct tdb *tdbp, *next; 523 524 if (tdbh == NULL) 525 return ENOENT; 526 527 for (i = 0; i <= tdb_hashmask; i++) 528 for (tdbp = tdbh[i]; rval == 0 && tdbp != NULL; tdbp = next) { 529 next = tdbp->tdb_hnext; 530 531 if (rdomain != tdbp->tdb_rdomain) 532 continue; 533 534 if (i == tdb_hashmask && next == NULL) 535 rval = walker(tdbp, (void *)arg, 1); 536 else 537 rval = walker(tdbp, (void *)arg, 0); 538 } 539 540 return rval; 541 } 542 543 /* 544 * Called at splsoftclock(). 545 */ 546 void 547 tdb_timeout(void *v) 548 { 549 struct tdb *tdb = v; 550 551 if (!(tdb->tdb_flags & TDBF_TIMER)) 552 return; 553 554 /* If it's an "invalid" TDB do a silent expiration. */ 555 if (!(tdb->tdb_flags & TDBF_INVALID)) 556 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 557 tdb_delete(tdb); 558 } 559 560 void 561 tdb_firstuse(void *v) 562 { 563 struct tdb *tdb = v; 564 565 if (!(tdb->tdb_flags & TDBF_SOFT_FIRSTUSE)) 566 return; 567 568 /* If the TDB hasn't been used, don't renew it. */ 569 if (tdb->tdb_first_use != 0) 570 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 571 tdb_delete(tdb); 572 } 573 574 void 575 tdb_soft_timeout(void *v) 576 { 577 struct tdb *tdb = v; 578 579 if (!(tdb->tdb_flags & TDBF_SOFT_TIMER)) 580 return; 581 582 /* Soft expirations. */ 583 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 584 tdb->tdb_flags &= ~TDBF_SOFT_TIMER; 585 } 586 587 void 588 tdb_soft_firstuse(void *v) 589 { 590 struct tdb *tdb = v; 591 592 if (!(tdb->tdb_flags & TDBF_SOFT_FIRSTUSE)) 593 return; 594 595 /* If the TDB hasn't been used, don't renew it. */ 596 if (tdb->tdb_first_use != 0) 597 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 598 tdb->tdb_flags &= ~TDBF_SOFT_FIRSTUSE; 599 } 600 601 /* 602 * Caller is responsible for spltdb(). 603 */ 604 void 605 tdb_rehash(void) 606 { 607 struct tdb **new_tdbh, **new_tdbaddr, **new_srcaddr, *tdbp, *tdbnp; 608 u_int i, old_hashmask = tdb_hashmask; 609 u_int32_t hashval; 610 611 tdb_hashmask = (tdb_hashmask << 1) | 1; 612 613 new_tdbh = malloc(sizeof(struct tdb *) * (tdb_hashmask + 1), M_TDB, 614 M_WAITOK | M_ZERO); 615 new_tdbaddr = malloc(sizeof(struct tdb *) * (tdb_hashmask + 1), M_TDB, 616 M_WAITOK | M_ZERO); 617 new_srcaddr = malloc(sizeof(struct tdb *) * (tdb_hashmask + 1), M_TDB, 618 M_WAITOK | M_ZERO); 619 620 for (i = 0; i <= old_hashmask; i++) { 621 for (tdbp = tdbh[i]; tdbp != NULL; tdbp = tdbnp) { 622 tdbnp = tdbp->tdb_hnext; 623 hashval = tdb_hash(tdbp->tdb_rdomain, 624 tdbp->tdb_spi, &tdbp->tdb_dst, 625 tdbp->tdb_sproto); 626 tdbp->tdb_hnext = new_tdbh[hashval]; 627 new_tdbh[hashval] = tdbp; 628 } 629 630 for (tdbp = tdbaddr[i]; tdbp != NULL; tdbp = tdbnp) { 631 tdbnp = tdbp->tdb_anext; 632 hashval = tdb_hash(tdbp->tdb_rdomain, 633 0, &tdbp->tdb_dst, 634 tdbp->tdb_sproto); 635 tdbp->tdb_anext = new_tdbaddr[hashval]; 636 new_tdbaddr[hashval] = tdbp; 637 } 638 639 for (tdbp = tdbsrc[i]; tdbp != NULL; tdbp = tdbnp) { 640 tdbnp = tdbp->tdb_snext; 641 hashval = tdb_hash(tdbp->tdb_rdomain, 642 0, &tdbp->tdb_src, 643 tdbp->tdb_sproto); 644 tdbp->tdb_snext = new_srcaddr[hashval]; 645 new_srcaddr[hashval] = tdbp; 646 } 647 } 648 649 free(tdbh, M_TDB); 650 tdbh = new_tdbh; 651 652 free(tdbaddr, M_TDB); 653 tdbaddr = new_tdbaddr; 654 655 free(tdbsrc, M_TDB); 656 tdbsrc = new_srcaddr; 657 } 658 659 /* 660 * Add TDB in the hash table. 661 */ 662 void 663 puttdb(struct tdb *tdbp) 664 { 665 u_int32_t hashval; 666 int s = spltdb(); 667 668 if (tdbh == NULL) { 669 tdbh = malloc(sizeof(struct tdb *) * (tdb_hashmask + 1), M_TDB, 670 M_WAITOK | M_ZERO); 671 tdbaddr = malloc(sizeof(struct tdb *) * (tdb_hashmask + 1), 672 M_TDB, M_WAITOK | M_ZERO); 673 tdbsrc = malloc(sizeof(struct tdb *) * (tdb_hashmask + 1), 674 M_TDB, M_WAITOK | M_ZERO); 675 } 676 677 hashval = tdb_hash(tdbp->tdb_rdomain, tdbp->tdb_spi, 678 &tdbp->tdb_dst, tdbp->tdb_sproto); 679 680 /* 681 * Rehash if this tdb would cause a bucket to have more than 682 * two items and if the number of tdbs exceed 10% of the 683 * bucket count. This number is arbitratily chosen and is 684 * just a measure to not keep rehashing when adding and 685 * removing tdbs which happens to always end up in the same 686 * bucket, which is not uncommon when doing manual keying. 687 */ 688 if (tdbh[hashval] != NULL && tdbh[hashval]->tdb_hnext != NULL && 689 tdb_count * 10 > tdb_hashmask + 1) { 690 tdb_rehash(); 691 hashval = tdb_hash(tdbp->tdb_rdomain, tdbp->tdb_spi, 692 &tdbp->tdb_dst, tdbp->tdb_sproto); 693 } 694 695 tdbp->tdb_hnext = tdbh[hashval]; 696 tdbh[hashval] = tdbp; 697 698 hashval = tdb_hash(tdbp->tdb_rdomain, 0, &tdbp->tdb_dst, 699 tdbp->tdb_sproto); 700 tdbp->tdb_anext = tdbaddr[hashval]; 701 tdbaddr[hashval] = tdbp; 702 703 hashval = tdb_hash(tdbp->tdb_rdomain, 0, &tdbp->tdb_src, 704 tdbp->tdb_sproto); 705 tdbp->tdb_snext = tdbsrc[hashval]; 706 tdbsrc[hashval] = tdbp; 707 708 tdb_count++; 709 710 ipsec_last_added = time_second; 711 712 splx(s); 713 } 714 715 /* 716 * Caller is responsible to set at least spltdb(). 717 */ 718 void 719 tdb_delete(struct tdb *tdbp) 720 { 721 struct tdb *tdbpp; 722 u_int32_t hashval; 723 int s; 724 725 if (tdbh == NULL) 726 return; 727 728 hashval = tdb_hash(tdbp->tdb_rdomain, tdbp->tdb_spi, 729 &tdbp->tdb_dst, tdbp->tdb_sproto); 730 731 s = spltdb(); 732 if (tdbh[hashval] == tdbp) { 733 tdbh[hashval] = tdbp->tdb_hnext; 734 } else { 735 for (tdbpp = tdbh[hashval]; tdbpp != NULL; 736 tdbpp = tdbpp->tdb_hnext) { 737 if (tdbpp->tdb_hnext == tdbp) { 738 tdbpp->tdb_hnext = tdbp->tdb_hnext; 739 break; 740 } 741 } 742 } 743 744 tdbp->tdb_hnext = NULL; 745 746 hashval = tdb_hash(tdbp->tdb_rdomain, 0, &tdbp->tdb_dst, 747 tdbp->tdb_sproto); 748 749 if (tdbaddr[hashval] == tdbp) { 750 tdbaddr[hashval] = tdbp->tdb_anext; 751 } else { 752 for (tdbpp = tdbaddr[hashval]; tdbpp != NULL; 753 tdbpp = tdbpp->tdb_anext) { 754 if (tdbpp->tdb_anext == tdbp) { 755 tdbpp->tdb_anext = tdbp->tdb_anext; 756 break; 757 } 758 } 759 } 760 761 hashval = tdb_hash(tdbp->tdb_rdomain, 0, &tdbp->tdb_src, 762 tdbp->tdb_sproto); 763 764 if (tdbsrc[hashval] == tdbp) { 765 tdbsrc[hashval] = tdbp->tdb_snext; 766 } 767 else { 768 for (tdbpp = tdbsrc[hashval]; tdbpp != NULL; 769 tdbpp = tdbpp->tdb_snext) { 770 if (tdbpp->tdb_snext == tdbp) { 771 tdbpp->tdb_snext = tdbp->tdb_snext; 772 break; 773 } 774 } 775 } 776 777 tdbp->tdb_snext = NULL; 778 tdb_free(tdbp); 779 tdb_count--; 780 781 splx(s); 782 } 783 784 /* 785 * Allocate a TDB and initialize a few basic fields. 786 */ 787 struct tdb * 788 tdb_alloc(u_int rdomain) 789 { 790 struct tdb *tdbp; 791 792 tdbp = malloc(sizeof(*tdbp), M_TDB, M_WAITOK | M_ZERO); 793 794 /* Init Incoming SA-Binding Queues. */ 795 TAILQ_INIT(&tdbp->tdb_inp_out); 796 TAILQ_INIT(&tdbp->tdb_inp_in); 797 798 TAILQ_INIT(&tdbp->tdb_policy_head); 799 800 /* Record establishment time. */ 801 tdbp->tdb_established = time_second; 802 803 /* Save routing domain */ 804 tdbp->tdb_rdomain = rdomain; 805 806 /* Initialize timeouts. */ 807 timeout_set(&tdbp->tdb_timer_tmo, tdb_timeout, tdbp); 808 timeout_set(&tdbp->tdb_first_tmo, tdb_firstuse, tdbp); 809 timeout_set(&tdbp->tdb_stimer_tmo, tdb_soft_timeout, tdbp); 810 timeout_set(&tdbp->tdb_sfirst_tmo, tdb_soft_firstuse, tdbp); 811 812 return tdbp; 813 } 814 815 void 816 tdb_free(struct tdb *tdbp) 817 { 818 struct ipsec_policy *ipo; 819 struct inpcb *inp; 820 821 if (tdbp->tdb_xform) { 822 (*(tdbp->tdb_xform->xf_zeroize))(tdbp); 823 tdbp->tdb_xform = NULL; 824 } 825 826 #if NPFSYNC > 0 827 /* Cleanup pfsync references */ 828 pfsync_delete_tdb(tdbp); 829 #endif 830 831 /* Cleanup inp references. */ 832 for (inp = TAILQ_FIRST(&tdbp->tdb_inp_in); inp; 833 inp = TAILQ_FIRST(&tdbp->tdb_inp_in)) { 834 TAILQ_REMOVE(&tdbp->tdb_inp_in, inp, inp_tdb_in_next); 835 inp->inp_tdb_in = NULL; 836 } 837 838 for (inp = TAILQ_FIRST(&tdbp->tdb_inp_out); inp; 839 inp = TAILQ_FIRST(&tdbp->tdb_inp_out)) { 840 TAILQ_REMOVE(&tdbp->tdb_inp_out, inp, inp_tdb_out_next); 841 inp->inp_tdb_out = NULL; 842 } 843 844 /* Cleanup SPD references. */ 845 for (ipo = TAILQ_FIRST(&tdbp->tdb_policy_head); ipo; 846 ipo = TAILQ_FIRST(&tdbp->tdb_policy_head)) { 847 TAILQ_REMOVE(&tdbp->tdb_policy_head, ipo, ipo_tdb_next); 848 ipo->ipo_tdb = NULL; 849 ipo->ipo_last_searched = 0; /* Force a re-search. */ 850 } 851 852 /* Remove expiration timeouts. */ 853 tdbp->tdb_flags &= ~(TDBF_FIRSTUSE | TDBF_SOFT_FIRSTUSE | TDBF_TIMER | 854 TDBF_SOFT_TIMER); 855 timeout_del(&tdbp->tdb_timer_tmo); 856 timeout_del(&tdbp->tdb_first_tmo); 857 timeout_del(&tdbp->tdb_stimer_tmo); 858 timeout_del(&tdbp->tdb_sfirst_tmo); 859 860 if (tdbp->tdb_local_auth) { 861 ipsp_reffree(tdbp->tdb_local_auth); 862 tdbp->tdb_local_auth = NULL; 863 } 864 865 if (tdbp->tdb_remote_auth) { 866 ipsp_reffree(tdbp->tdb_remote_auth); 867 tdbp->tdb_remote_auth = NULL; 868 } 869 870 if (tdbp->tdb_srcid) { 871 ipsp_reffree(tdbp->tdb_srcid); 872 tdbp->tdb_srcid = NULL; 873 } 874 875 if (tdbp->tdb_dstid) { 876 ipsp_reffree(tdbp->tdb_dstid); 877 tdbp->tdb_dstid = NULL; 878 } 879 880 if (tdbp->tdb_local_cred) { 881 ipsp_reffree(tdbp->tdb_local_cred); 882 tdbp->tdb_local_cred = NULL; 883 } 884 885 if (tdbp->tdb_remote_cred) { 886 ipsp_reffree(tdbp->tdb_remote_cred); 887 tdbp->tdb_remote_cred = NULL; 888 } 889 890 #if NPF > 0 891 if (tdbp->tdb_tag) { 892 pf_tag_unref(tdbp->tdb_tag); 893 tdbp->tdb_tag = 0; 894 } 895 #endif 896 897 if ((tdbp->tdb_onext) && (tdbp->tdb_onext->tdb_inext == tdbp)) 898 tdbp->tdb_onext->tdb_inext = NULL; 899 900 if ((tdbp->tdb_inext) && (tdbp->tdb_inext->tdb_onext == tdbp)) 901 tdbp->tdb_inext->tdb_onext = NULL; 902 903 free(tdbp, M_TDB); 904 } 905 906 /* 907 * Do further initializations of a TDB. 908 */ 909 int 910 tdb_init(struct tdb *tdbp, u_int16_t alg, struct ipsecinit *ii) 911 { 912 struct xformsw *xsp; 913 int err; 914 915 for (xsp = xformsw; xsp < xformswNXFORMSW; xsp++) { 916 if (xsp->xf_type == alg) { 917 err = (*(xsp->xf_init))(tdbp, xsp, ii); 918 return err; 919 } 920 } 921 922 DPRINTF(("tdb_init(): no alg %d for spi %08x, addr %s, proto %d\n", 923 alg, ntohl(tdbp->tdb_spi), ipsp_address(tdbp->tdb_dst), 924 tdbp->tdb_sproto)); 925 926 return EINVAL; 927 } 928 929 /* 930 * Check which transformations are required. 931 */ 932 u_int8_t 933 get_sa_require(struct inpcb *inp) 934 { 935 u_int8_t sareq = 0; 936 937 if (inp != NULL) { 938 sareq |= inp->inp_seclevel[SL_AUTH] >= IPSEC_LEVEL_USE ? 939 NOTIFY_SATYPE_AUTH : 0; 940 sareq |= inp->inp_seclevel[SL_ESP_TRANS] >= IPSEC_LEVEL_USE ? 941 NOTIFY_SATYPE_CONF : 0; 942 sareq |= inp->inp_seclevel[SL_ESP_NETWORK] >= IPSEC_LEVEL_USE ? 943 NOTIFY_SATYPE_TUNNEL : 0; 944 } else { 945 sareq |= ipsec_auth_default_level >= IPSEC_LEVEL_USE ? 946 NOTIFY_SATYPE_AUTH : 0; 947 sareq |= ipsec_esp_trans_default_level >= IPSEC_LEVEL_USE ? 948 NOTIFY_SATYPE_CONF : 0; 949 sareq |= ipsec_esp_network_default_level >= IPSEC_LEVEL_USE ? 950 NOTIFY_SATYPE_TUNNEL : 0; 951 } 952 953 return (sareq); 954 } 955 956 /* 957 * Add an inpcb to the list of inpcb which reference this tdb directly. 958 */ 959 void 960 tdb_add_inp(struct tdb *tdb, struct inpcb *inp, int inout) 961 { 962 if (inout) { 963 if (inp->inp_tdb_in) { 964 if (inp->inp_tdb_in == tdb) 965 return; 966 967 TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in, inp, 968 inp_tdb_in_next); 969 } 970 971 inp->inp_tdb_in = tdb; 972 TAILQ_INSERT_TAIL(&tdb->tdb_inp_in, inp, inp_tdb_in_next); 973 } else { 974 if (inp->inp_tdb_out) { 975 if (inp->inp_tdb_out == tdb) 976 return; 977 978 TAILQ_REMOVE(&inp->inp_tdb_out->tdb_inp_out, inp, 979 inp_tdb_out_next); 980 } 981 982 inp->inp_tdb_out = tdb; 983 TAILQ_INSERT_TAIL(&tdb->tdb_inp_out, inp, inp_tdb_out_next); 984 } 985 } 986 987 /* Return a printable string for the IPv4 address. */ 988 char * 989 inet_ntoa4(struct in_addr ina) 990 { 991 static char buf[4][4 * sizeof "123" + 4]; 992 unsigned char *ucp = (unsigned char *) &ina; 993 static int i = 3; 994 995 i = (i + 1) % 4; 996 snprintf(buf[i], sizeof buf[0], "%d.%d.%d.%d", 997 ucp[0] & 0xff, ucp[1] & 0xff, 998 ucp[2] & 0xff, ucp[3] & 0xff); 999 return (buf[i]); 1000 } 1001 1002 /* Return a printable string for the address. */ 1003 char * 1004 ipsp_address(union sockaddr_union sa) 1005 { 1006 switch (sa.sa.sa_family) { 1007 #ifdef INET 1008 case AF_INET: 1009 return inet_ntoa4(sa.sin.sin_addr); 1010 #endif /* INET */ 1011 1012 #ifdef INET6 1013 case AF_INET6: 1014 return ip6_sprintf(&sa.sin6.sin6_addr); 1015 #endif /* INET6 */ 1016 1017 default: 1018 return "(unknown address family)"; 1019 } 1020 } 1021 1022 /* Check whether an IP{4,6} address is unspecified. */ 1023 int 1024 ipsp_is_unspecified(union sockaddr_union addr) 1025 { 1026 switch (addr.sa.sa_family) { 1027 #ifdef INET 1028 case AF_INET: 1029 if (addr.sin.sin_addr.s_addr == INADDR_ANY) 1030 return 1; 1031 else 1032 return 0; 1033 #endif /* INET */ 1034 1035 #ifdef INET6 1036 case AF_INET6: 1037 if (IN6_IS_ADDR_UNSPECIFIED(&addr.sin6.sin6_addr)) 1038 return 1; 1039 else 1040 return 0; 1041 #endif /* INET6 */ 1042 1043 case 0: /* No family set. */ 1044 default: 1045 return 1; 1046 } 1047 } 1048 1049 /* Free reference-counted structure. */ 1050 void 1051 ipsp_reffree(struct ipsec_ref *ipr) 1052 { 1053 #ifdef DIAGNOSTIC 1054 if (ipr->ref_count <= 0) 1055 printf("ipsp_reffree: illegal reference count %d for " 1056 "object %p (len = %d, malloctype = %d)\n", 1057 ipr->ref_count, ipr, ipr->ref_len, ipr->ref_malloctype); 1058 #endif 1059 if (--ipr->ref_count <= 0) 1060 free(ipr, ipr->ref_malloctype); 1061 } 1062 1063 /* Mark a TDB as TDBF_SKIPCRYPTO. */ 1064 void 1065 ipsp_skipcrypto_mark(struct tdb_ident *tdbi) 1066 { 1067 struct tdb *tdb; 1068 int s = spltdb(); 1069 1070 tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, tdbi->proto); 1071 if (tdb != NULL) { 1072 tdb->tdb_flags |= TDBF_SKIPCRYPTO; 1073 tdb->tdb_last_marked = time_second; 1074 } 1075 splx(s); 1076 } 1077 1078 /* Unmark a TDB as TDBF_SKIPCRYPTO. */ 1079 void 1080 ipsp_skipcrypto_unmark(struct tdb_ident *tdbi) 1081 { 1082 struct tdb *tdb; 1083 int s = spltdb(); 1084 1085 tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, tdbi->proto); 1086 if (tdb != NULL) { 1087 tdb->tdb_flags &= ~TDBF_SKIPCRYPTO; 1088 tdb->tdb_last_marked = time_second; 1089 } 1090 splx(s); 1091 } 1092 1093 /* Return true if the two structures match. */ 1094 int 1095 ipsp_ref_match(struct ipsec_ref *ref1, struct ipsec_ref *ref2) 1096 { 1097 if (ref1->ref_type != ref2->ref_type || 1098 ref1->ref_len != ref2->ref_len || 1099 bcmp(ref1 + 1, ref2 + 1, ref1->ref_len)) 1100 return 0; 1101 1102 return 1; 1103 } 1104 1105 #ifdef notyet 1106 /* 1107 * Go down a chain of IPv4/IPv6/ESP/AH/IPiP chains creating an tag for each 1108 * IPsec header encountered. The offset where the first header, as well 1109 * as its type are given to us. 1110 */ 1111 struct m_tag * 1112 ipsp_parse_headers(struct mbuf *m, int off, u_int8_t proto) 1113 { 1114 int ipv4sa = 0, s, esphlen = 0, trail = 0, i; 1115 SLIST_HEAD(packet_tags, m_tag) tags; 1116 unsigned char lasteight[8]; 1117 struct tdb_ident *tdbi; 1118 struct m_tag *mtag; 1119 struct tdb *tdb; 1120 1121 #ifdef INET 1122 struct ip iph; 1123 #endif /* INET */ 1124 1125 #ifdef INET6 1126 struct in6_addr ip6_dst; 1127 #endif /* INET6 */ 1128 1129 /* We have to start with a known network protocol. */ 1130 if (proto != IPPROTO_IPV4 && proto != IPPROTO_IPV6) 1131 return NULL; 1132 1133 SLIST_INIT(&tags); 1134 1135 while (1) { 1136 switch (proto) { 1137 #ifdef INET 1138 case IPPROTO_IPV4: /* Also IPPROTO_IPIP */ 1139 { 1140 /* 1141 * Save the IP header (we need both the 1142 * address and ip_hl). 1143 */ 1144 m_copydata(m, off, sizeof(struct ip), (caddr_t) &iph); 1145 ipv4sa = 1; 1146 proto = iph.ip_p; 1147 off += iph.ip_hl << 2; 1148 break; 1149 } 1150 #endif /* INET */ 1151 1152 #ifdef INET6 1153 case IPPROTO_IPV6: 1154 { 1155 int nxtp, l; 1156 1157 /* Copy the IPv6 address. */ 1158 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst), 1159 sizeof(struct ip6_hdr), (caddr_t) &ip6_dst); 1160 ipv4sa = 0; 1161 1162 /* 1163 * Go down the chain of headers until we encounter a 1164 * non-option. 1165 */ 1166 for (l = ip6_nexthdr(m, off, proto, &nxtp); l != -1; 1167 l = ip6_nexthdr(m, off, proto, &nxtp)) { 1168 off += l; 1169 proto = nxtp; 1170 1171 /* Construct a tag. */ 1172 if (nxtp == IPPROTO_AH) { 1173 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_CRYPTO_DONE, 1174 sizeof(struct tdb_ident), 1175 M_NOWAIT); 1176 1177 if (mtag == NULL) 1178 return SLIST_FIRST(&tags); 1179 1180 tdbi = (struct tdb_ident *) (mtag + 1); 1181 bzero(tdbi, sizeof(struct tdb_ident)); 1182 1183 m_copydata(m, off + sizeof(u_int32_t), 1184 sizeof(u_int32_t), 1185 (caddr_t) &tdbi->spi); 1186 1187 tdbi->proto = IPPROTO_AH; 1188 tdbi->dst.sin6.sin6_family = AF_INET6; 1189 tdbi->dst.sin6.sin6_len = 1190 sizeof(struct sockaddr_in6); 1191 tdbi->dst.sin6.sin6_addr = ip6_dst; 1192 tdbi->rdomain = 1193 rtable_l2(m->m_pkthdr.rdomain); 1194 SLIST_INSERT_HEAD(&tags, 1195 mtag, m_tag_link); 1196 } 1197 else 1198 if (nxtp == IPPROTO_IPV6) 1199 m_copydata(m, off + 1200 offsetof(struct ip6_hdr, 1201 ip6_dst), 1202 sizeof(struct ip6_hdr), 1203 (caddr_t) &ip6_dst); 1204 } 1205 break; 1206 } 1207 #endif /* INET6 */ 1208 1209 case IPPROTO_ESP: 1210 /* Verify that this has been decrypted. */ 1211 { 1212 union sockaddr_union su; 1213 u_int32_t spi; 1214 1215 m_copydata(m, off, sizeof(u_int32_t), (caddr_t) &spi); 1216 bzero(&su, sizeof(union sockaddr_union)); 1217 1218 s = spltdb(); 1219 1220 #ifdef INET 1221 if (ipv4sa) { 1222 su.sin.sin_family = AF_INET; 1223 su.sin.sin_len = sizeof(struct sockaddr_in); 1224 su.sin.sin_addr = iph.ip_dst; 1225 } 1226 #endif /* INET */ 1227 1228 #ifdef INET6 1229 if (!ipv4sa) { 1230 su.sin6.sin6_family = AF_INET6; 1231 su.sin6.sin6_len = sizeof(struct sockaddr_in6); 1232 su.sin6.sin6_addr = ip6_dst; 1233 } 1234 #endif /* INET6 */ 1235 1236 tdb = gettdb(spi, &su, IPPROTO_ESP); 1237 if (tdb == NULL) { 1238 splx(s); 1239 return SLIST_FIRST(&tags); 1240 } 1241 1242 /* How large is the ESP header ? We use this later. */ 1243 if (tdb->tdb_flags & TDBF_NOREPLAY) 1244 esphlen = sizeof(u_int32_t) + tdb->tdb_ivlen; 1245 else 1246 esphlen = 2 * sizeof(u_int32_t) + 1247 tdb->tdb_ivlen; 1248 1249 /* 1250 * Verify decryption. If the SA is using 1251 * random padding (as the "old" ESP SAs were 1252 * bound to do, there's nothing we can do to 1253 * see if the payload has been decrypted. 1254 */ 1255 if (tdb->tdb_flags & TDBF_RANDOMPADDING) { 1256 splx(s); 1257 return SLIST_FIRST(&tags); 1258 } 1259 1260 /* Update the length of trailing ESP authenticators. */ 1261 if (tdb->tdb_authalgxform) 1262 trail += tdb->tdb_authalgxform->authsize; 1263 1264 splx(s); 1265 1266 /* Copy the last 10 bytes. */ 1267 m_copydata(m, m->m_pkthdr.len - trail - 8, 8, 1268 lasteight); 1269 1270 /* Verify the self-describing padding values. */ 1271 if (lasteight[6] != 0) { 1272 if (lasteight[6] != lasteight[5]) 1273 return SLIST_FIRST(&tags); 1274 1275 for (i = 4; lasteight[i + 1] != 1 && i >= 0; 1276 i--) 1277 if (lasteight[i + 1] != 1278 lasteight[i] + 1) 1279 return SLIST_FIRST(&tags); 1280 } 1281 } 1282 /* FALLTHROUGH */ 1283 case IPPROTO_AH: 1284 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_CRYPTO_DONE, 1285 sizeof(struct tdb_ident), M_NOWAIT); 1286 if (mtag == NULL) 1287 return SLIST_FIRST(&tags); 1288 1289 tdbi = (struct tdb_ident *) (mtag + 1); 1290 bzero(tdbi, sizeof(struct tdb_ident)); 1291 1292 /* Get SPI off the relevant header. */ 1293 if (proto == IPPROTO_AH) 1294 m_copydata(m, off + sizeof(u_int32_t), 1295 sizeof(u_int32_t), (caddr_t) &tdbi->spi); 1296 else /* IPPROTO_ESP */ 1297 m_copydata(m, off, sizeof(u_int32_t), 1298 (caddr_t) &tdbi->spi); 1299 1300 tdbi->proto = proto; /* AH or ESP */ 1301 tdbi->rdomain = rtable_l2(m->m_pkthdr.rdomain); 1302 1303 #ifdef INET 1304 /* Last network header was IPv4. */ 1305 if (ipv4sa) { 1306 tdbi->dst.sin.sin_family = AF_INET; 1307 tdbi->dst.sin.sin_len = 1308 sizeof(struct sockaddr_in); 1309 tdbi->dst.sin.sin_addr = iph.ip_dst; 1310 } 1311 #endif /* INET */ 1312 1313 #ifdef INET6 1314 /* Last network header was IPv6. */ 1315 if (!ipv4sa) { 1316 tdbi->dst.sin6.sin6_family = AF_INET6; 1317 tdbi->dst.sin6.sin6_len = 1318 sizeof(struct sockaddr_in6); 1319 tdbi->dst.sin6.sin6_addr = ip6_dst; 1320 } 1321 #endif /* INET6 */ 1322 1323 SLIST_INSERT_HEAD(&tags, mtag, m_tag_link); 1324 1325 /* Update next protocol/header and header offset. */ 1326 if (proto == IPPROTO_AH) { 1327 u_int8_t foo[2]; 1328 1329 m_copydata(m, off, 2 * sizeof(u_int8_t), foo); 1330 proto = foo[0]; 1331 off += (foo[1] + 2) << 2; 1332 } else {/* IPPROTO_ESP */ 1333 /* Initialized in IPPROTO_ESP case. */ 1334 off += esphlen; 1335 proto = lasteight[7]; 1336 } 1337 break; 1338 1339 default: 1340 return SLIST_FIRST(&tags); /* We're done. */ 1341 } 1342 } 1343 } 1344 #endif /* notyet */ 1345