1 /** $MirOS: src/sys/netinet/ip_ipsp.c,v 1.4 2010/09/21 21:24:27 tg Exp $ */
2 /* $OpenBSD: ip_ipsp.c,v 1.164 2005/11/24 12:08:16 pedro Exp $ */
3 /*
4 * The authors of this code are John Ioannidis (ji@tla.org),
5 * Angelos D. Keromytis (kermit@csd.uch.gr),
6 * Niels Provos (provos@physnet.uni-hamburg.de) and
7 * Niklas Hallqvist (niklas@appli.se).
8 *
9 * The original version of this code was written by John Ioannidis
10 * for BSD/OS in Athens, Greece, in November 1995.
11 *
12 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
13 * by Angelos D. Keromytis.
14 *
15 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
16 * and Niels Provos.
17 *
18 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist.
19 *
20 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
21 * Angelos D. Keromytis and Niels Provos.
22 * Copyright (c) 1999 Niklas Hallqvist.
23 * Copyright (c) 2001, Angelos D. Keromytis.
24 *
25 * Permission to use, copy, and modify this software with or without fee
26 * is hereby granted, provided that this entire notice is included in
27 * all copies of any software which is or includes a copy or
28 * modification of this software.
29 * You may use this code under the GNU public license if you so wish. Please
30 * contribute changes back to the authors under this freer than GPL license
31 * so that we may further the use of strong encryption without limitations to
32 * all.
33 *
34 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
35 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
36 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
37 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
38 * PURPOSE.
39 */
40
41 #include <sys/param.h>
42 #include <sys/mbuf.h>
43 #include <sys/socket.h>
44 #include <sys/kernel.h>
45 #include <sys/sysctl.h>
46
47 #include <net/if.h>
48 #include <net/route.h>
49
50 #ifdef INET
51 #include <netinet/in.h>
52 #include <netinet/in_systm.h>
53 #include <netinet/ip.h>
54 #include <netinet/in_pcb.h>
55 #endif /* INET */
56
57 #ifdef INET6
58 #ifndef INET
59 #include <netinet/in.h>
60 #endif
61 #include <netinet6/in6_var.h>
62 #endif /* INET6 */
63
64 #include <netinet/ip_ipsp.h>
65 #include <net/pfkeyv2.h>
66 #include <crypto/xform.h>
67 #include <dev/rndvar.h>
68
69 #ifdef DDB
70 #include <ddb/db_output.h>
71 void tdb_hashstats(void);
72 #endif
73
74 #ifdef ENCDEBUG
75 #define DPRINTF(x) if (encdebug) printf x
76 #else
77 #define DPRINTF(x)
78 #endif
79
80 int ipsp_kern(int, char **, int);
81 u_int8_t get_sa_require(struct inpcb *);
82 void tdb_rehash(void);
83 void tdb_timeout(void *v);
84 void tdb_firstuse(void *v);
85 void tdb_soft_timeout(void *v);
86 void tdb_soft_firstuse(void *v);
87
88 extern int ipsec_auth_default_level;
89 extern int ipsec_esp_trans_default_level;
90 extern int ipsec_esp_network_default_level;
91 extern int ipsec_ipcomp_default_level;
92
93 extern int encdebug;
94 int ipsec_in_use = 0;
95 u_int64_t ipsec_last_added = 0;
96
97 struct ipsec_policy_head ipsec_policy_head =
98 TAILQ_HEAD_INITIALIZER(ipsec_policy_head);
99 struct ipsec_acquire_head ipsec_acquire_head =
100 TAILQ_HEAD_INITIALIZER(ipsec_acquire_head);
101
102 /*
103 * This is the proper place to define the various encapsulation transforms.
104 */
105
106 struct xformsw xformsw[] = {
107 { XF_IP4, 0, "IPv4 Simple Encapsulation",
108 ipe4_attach, ipe4_init, ipe4_zeroize,
109 (int (*)(struct mbuf *, struct tdb *, int, int))ipe4_input,
110 ipip_output, },
111 { XF_AH, XFT_AUTH, "IPsec AH",
112 ah_attach, ah_init, ah_zeroize,
113 ah_input, ah_output, },
114 { XF_ESP, XFT_CONF|XFT_AUTH, "IPsec ESP",
115 esp_attach, esp_init, esp_zeroize,
116 esp_input, esp_output, },
117 { XF_IPCOMP, XFT_COMP, "IPcomp",
118 ipcomp_attach, ipcomp_init, ipcomp_zeroize,
119 ipcomp_input, ipcomp_output, },
120 #ifdef TCP_SIGNATURE
121 { XF_TCPSIGNATURE, XFT_AUTH, "TCP MD5 Signature Option, RFC 2385",
122 tcp_signature_tdb_attach, tcp_signature_tdb_init,
123 tcp_signature_tdb_zeroize, tcp_signature_tdb_input,
124 tcp_signature_tdb_output, }
125 #endif /* TCP_SIGNATURE */
126 };
127
128 struct xformsw *xformswNXFORMSW = &xformsw[sizeof(xformsw)/sizeof(xformsw[0])];
129
130 unsigned char ipseczeroes[IPSEC_ZEROES_SIZE]; /* zeroes! */
131
132 #define TDB_HASHSIZE_INIT 32
133
134 static struct tdb **tdbh = NULL;
135 static struct tdb **tdbaddr = NULL;
136 static struct tdb **tdbsrc = NULL;
137 static u_int tdb_hashmask = TDB_HASHSIZE_INIT - 1;
138 static int tdb_count;
139
140 /*
141 * Our hashing function needs to stir things with a non-zero random multiplier
142 * so we cannot be DoS-attacked via choosing of the data to hash.
143 */
144 int
tdb_hash(u_int32_t spi,union sockaddr_union * dst,u_int8_t proto)145 tdb_hash(u_int32_t spi, union sockaddr_union *dst, u_int8_t proto)
146 {
147 static u_int32_t mult1 = 0, mult2 = 0;
148 u_int8_t *ptr = (u_int8_t *) dst;
149 int i, shift;
150 u_int64_t hash;
151 int val32 = 0;
152
153 while (mult1 == 0)
154 mult1 = arc4random();
155 while (mult2 == 0)
156 mult2 = arc4random();
157
158 hash = (spi ^ proto) * mult1;
159 for (i = 0; i < SA_LEN(&dst->sa); i++) {
160 val32 = (val32 << 8) | ptr[i];
161 if (i % 4 == 3) {
162 hash ^= val32 * mult2;
163 val32 = 0;
164 }
165 }
166
167 if (i % 4 != 0)
168 hash ^= val32 * mult2;
169
170 shift = ffs(tdb_hashmask + 1);
171 while ((hash & ~tdb_hashmask) != 0)
172 hash = (hash >> shift) ^ (hash & tdb_hashmask);
173
174 return hash;
175 }
176
177 /*
178 * Reserve an SPI; the SA is not valid yet though. We use 0 as
179 * an error return value.
180 */
181 u_int32_t
reserve_spi(u_int32_t sspi,u_int32_t tspi,union sockaddr_union * src,union sockaddr_union * dst,u_int8_t sproto,int * errval)182 reserve_spi(u_int32_t sspi, u_int32_t tspi, union sockaddr_union *src,
183 union sockaddr_union *dst, u_int8_t sproto, int *errval)
184 {
185 struct tdb *tdbp;
186 u_int32_t spi;
187 int nums, s;
188
189 /* Don't accept ranges only encompassing reserved SPIs. */
190 if (sproto != IPPROTO_IPCOMP &&
191 (tspi < sspi || tspi <= SPI_RESERVED_MAX)) {
192 (*errval) = EINVAL;
193 return 0;
194 }
195 if (sproto == IPPROTO_IPCOMP && (tspi < sspi ||
196 tspi <= CPI_RESERVED_MAX ||
197 tspi >= CPI_PRIVATE_MIN)) {
198 (*errval) = EINVAL;
199 return 0;
200 }
201
202 /* Limit the range to not include reserved areas. */
203 if (sspi <= SPI_RESERVED_MAX)
204 sspi = SPI_RESERVED_MAX + 1;
205
206 /* For IPCOMP the CPI is only 16 bits long, what a good idea.... */
207
208 if (sproto == IPPROTO_IPCOMP) {
209 u_int32_t t;
210 if (sspi >= 0x10000)
211 sspi = 0xffff;
212 if (tspi >= 0x10000)
213 tspi = 0xffff;
214 if (sspi > tspi) {
215 t = sspi; sspi = tspi; tspi = t;
216 }
217 }
218
219 if (sspi == tspi) /* Asking for a specific SPI. */
220 nums = 1;
221 else
222 nums = 100; /* Arbitrarily chosen */
223
224 while (nums--) {
225 if (sspi == tspi) /* Specific SPI asked. */
226 spi = tspi;
227 else /* Range specified */
228 spi = sspi + arc4random_uniform(tspi - sspi);
229
230 /* Don't allocate reserved SPIs. */
231 if (spi >= SPI_RESERVED_MIN && spi <= SPI_RESERVED_MAX)
232 continue;
233 else
234 spi = htonl(spi);
235
236 /* Check whether we're using this SPI already. */
237 s = spltdb();
238 tdbp = gettdb(spi, dst, sproto);
239 splx(s);
240
241 if (tdbp != (struct tdb *) NULL)
242 continue;
243
244 tdbp = tdb_alloc();
245
246 tdbp->tdb_spi = spi;
247 bcopy(&dst->sa, &tdbp->tdb_dst.sa, SA_LEN(&dst->sa));
248 bcopy(&src->sa, &tdbp->tdb_src.sa, SA_LEN(&src->sa));
249 tdbp->tdb_sproto = sproto;
250 tdbp->tdb_flags |= TDBF_INVALID; /* Mark SA invalid for now. */
251 tdbp->tdb_satype = SADB_SATYPE_UNSPEC;
252 puttdb(tdbp);
253
254 /* Setup a "silent" expiration (since TDBF_INVALID's set). */
255 if (ipsec_keep_invalid > 0) {
256 tdbp->tdb_flags |= TDBF_TIMER;
257 tdbp->tdb_exp_timeout = ipsec_keep_invalid;
258 timeout_add(&tdbp->tdb_timer_tmo,
259 hz * ipsec_keep_invalid);
260 }
261
262 return spi;
263 }
264
265 (*errval) = EEXIST;
266 return 0;
267 }
268
269 /*
270 * An IPSP SAID is really the concatenation of the SPI found in the
271 * packet, the destination address of the packet and the IPsec protocol.
272 * When we receive an IPSP packet, we need to look up its tunnel descriptor
273 * block, based on the SPI in the packet and the destination address (which
274 * is really one of our addresses if we received the packet!
275 *
276 * Caller is responsible for setting at least spltdb().
277 */
278 struct tdb *
gettdb(u_int32_t spi,union sockaddr_union * dst,u_int8_t proto)279 gettdb(u_int32_t spi, union sockaddr_union *dst, u_int8_t proto)
280 {
281 u_int32_t hashval;
282 struct tdb *tdbp;
283
284 if (tdbh == NULL)
285 return (struct tdb *) NULL;
286
287 hashval = tdb_hash(spi, dst, proto);
288
289 for (tdbp = tdbh[hashval]; tdbp != NULL; tdbp = tdbp->tdb_hnext)
290 if ((tdbp->tdb_spi == spi) && (tdbp->tdb_sproto == proto) &&
291 !bcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa)))
292 break;
293
294 return tdbp;
295 }
296
297 #ifdef TCP_SIGNATURE
298 /*
299 * Same as gettdb() but compare SRC as well, so we
300 * use the tdbsrc[] hash table. Setting spi to 0
301 * matches all SPIs.
302 */
303 struct tdb *
gettdbbysrcdst(u_int32_t spi,union sockaddr_union * src,union sockaddr_union * dst,u_int8_t proto)304 gettdbbysrcdst(u_int32_t spi, union sockaddr_union *src,
305 union sockaddr_union *dst, u_int8_t proto)
306 {
307 u_int32_t hashval;
308 struct tdb *tdbp;
309 union sockaddr_union su_null;
310
311 if (tdbsrc == NULL)
312 return (struct tdb *) NULL;
313
314 hashval = tdb_hash(0, src, proto);
315
316 for (tdbp = tdbsrc[hashval]; tdbp != NULL; tdbp = tdbp->tdb_snext)
317 if (tdbp->tdb_sproto == proto &&
318 (spi == 0 || tdbp->tdb_spi == spi) &&
319 ((tdbp->tdb_flags & TDBF_INVALID) == 0) &&
320 (tdbp->tdb_dst.sa.sa_family == AF_UNSPEC ||
321 !bcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa))) &&
322 !bcmp(&tdbp->tdb_src, src, SA_LEN(&src->sa)))
323 break;
324
325 if (tdbp != NULL)
326 return (tdbp);
327
328 bzero(&su_null, sizeof(su_null));
329 su_null.sa.sa_len = sizeof(struct sockaddr);
330 hashval = tdb_hash(0, &su_null, proto);
331
332 for (tdbp = tdbsrc[hashval]; tdbp != NULL; tdbp = tdbp->tdb_snext)
333 if (tdbp->tdb_sproto == proto &&
334 (spi == 0 || tdbp->tdb_spi == spi) &&
335 ((tdbp->tdb_flags & TDBF_INVALID) == 0) &&
336 (tdbp->tdb_dst.sa.sa_family == AF_UNSPEC ||
337 !bcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa))) &&
338 tdbp->tdb_src.sa.sa_family == AF_UNSPEC)
339 break;
340
341 return (tdbp);
342 }
343 #endif
344
345 /*
346 * Check that credentials and IDs match. Return true if so. The t*
347 * range of arguments contains information from TDBs; the p*
348 * range of arguments contains information from policies or
349 * already established TDBs.
350 */
351 int
ipsp_aux_match(struct tdb * tdb,struct ipsec_ref * psrcid,struct ipsec_ref * pdstid,struct ipsec_ref * plcred,struct ipsec_ref * prcred,struct sockaddr_encap * pfilter,struct sockaddr_encap * pfiltermask)352 ipsp_aux_match(struct tdb *tdb,
353 struct ipsec_ref *psrcid,
354 struct ipsec_ref *pdstid,
355 struct ipsec_ref *plcred,
356 struct ipsec_ref *prcred,
357 struct sockaddr_encap *pfilter,
358 struct sockaddr_encap *pfiltermask)
359 {
360 if (psrcid != NULL)
361 if (tdb->tdb_srcid == NULL ||
362 !ipsp_ref_match(tdb->tdb_srcid, psrcid))
363 return 0;
364
365 if (pdstid != NULL)
366 if (tdb->tdb_dstid == NULL ||
367 !ipsp_ref_match(tdb->tdb_dstid, pdstid))
368 return 0;
369
370 if (plcred != NULL)
371 if (tdb->tdb_local_cred == NULL ||
372 !ipsp_ref_match(tdb->tdb_local_cred, plcred))
373 return 0;
374
375 if (prcred != NULL)
376 if (tdb->tdb_remote_cred == NULL ||
377 !ipsp_ref_match(tdb->tdb_remote_cred, prcred))
378 return 0;
379
380 /* Check for filter matches. */
381 if (tdb->tdb_filter.sen_type) {
382 /*
383 * XXX We should really be doing a subnet-check (see
384 * whether the TDB-associated filter is a subset
385 * of the policy's. For now, an exact match will solve
386 * most problems (all this will do is make every
387 * policy get its own SAs).
388 */
389 if (bcmp(&tdb->tdb_filter, pfilter,
390 sizeof(struct sockaddr_encap)) ||
391 bcmp(&tdb->tdb_filtermask, pfiltermask,
392 sizeof(struct sockaddr_encap)))
393 return 0;
394 }
395
396 return 1;
397 }
398
399 /*
400 * Get an SA given the remote address, the security protocol type, and
401 * the desired IDs.
402 */
403 struct tdb *
gettdbbyaddr(union sockaddr_union * dst,u_int8_t sproto,struct ipsec_ref * srcid,struct ipsec_ref * dstid,struct ipsec_ref * local_cred,struct mbuf * m,int af,struct sockaddr_encap * filter,struct sockaddr_encap * filtermask)404 gettdbbyaddr(union sockaddr_union *dst, u_int8_t sproto,
405 struct ipsec_ref *srcid, struct ipsec_ref *dstid,
406 struct ipsec_ref *local_cred, struct mbuf *m, int af,
407 struct sockaddr_encap *filter, struct sockaddr_encap *filtermask)
408 {
409 u_int32_t hashval;
410 struct tdb *tdbp;
411
412 if (tdbaddr == NULL)
413 return (struct tdb *) NULL;
414
415 hashval = tdb_hash(0, dst, sproto);
416
417 for (tdbp = tdbaddr[hashval]; tdbp != NULL; tdbp = tdbp->tdb_anext)
418 if ((tdbp->tdb_sproto == sproto) &&
419 ((tdbp->tdb_flags & TDBF_INVALID) == 0) &&
420 (!bcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa)))) {
421 /* Do IDs and local credentials match ? */
422 if (!ipsp_aux_match(tdbp, srcid, dstid,
423 local_cred, NULL, filter, filtermask))
424 continue;
425 break;
426 }
427
428 return tdbp;
429 }
430
431 /*
432 * Get an SA given the source address, the security protocol type, and
433 * the desired IDs.
434 */
435 struct tdb *
gettdbbysrc(union sockaddr_union * src,u_int8_t sproto,struct ipsec_ref * srcid,struct ipsec_ref * dstid,struct mbuf * m,int af,struct sockaddr_encap * filter,struct sockaddr_encap * filtermask)436 gettdbbysrc(union sockaddr_union *src, u_int8_t sproto,
437 struct ipsec_ref *srcid, struct ipsec_ref *dstid,
438 struct mbuf *m, int af, struct sockaddr_encap *filter,
439 struct sockaddr_encap *filtermask)
440 {
441 u_int32_t hashval;
442 struct tdb *tdbp;
443
444 if (tdbsrc == NULL)
445 return (struct tdb *) NULL;
446
447 hashval = tdb_hash(0, src, sproto);
448
449 for (tdbp = tdbsrc[hashval]; tdbp != NULL; tdbp = tdbp->tdb_snext)
450 if ((tdbp->tdb_sproto == sproto) &&
451 ((tdbp->tdb_flags & TDBF_INVALID) == 0) &&
452 (!bcmp(&tdbp->tdb_src, src, SA_LEN(&src->sa)))) {
453 /* Check whether IDs match */
454 if (!ipsp_aux_match(tdbp, dstid, srcid, NULL, NULL,
455 filter, filtermask))
456 continue;
457 break;
458 }
459
460 return tdbp;
461 }
462
463 #if DDB
464 void
tdb_hashstats(void)465 tdb_hashstats(void)
466 {
467 int i, cnt, buckets[16];
468 struct tdb *tdbp;
469
470 if (tdbh == NULL) {
471 db_printf("no tdb hash table\n");
472 return;
473 }
474
475 bzero (buckets, sizeof(buckets));
476 for (i = 0; i <= tdb_hashmask; i++) {
477 cnt = 0;
478 for (tdbp = tdbh[i]; cnt < 16 && tdbp != NULL;
479 tdbp = tdbp->tdb_hnext)
480 cnt++;
481 buckets[cnt]++;
482 }
483
484 db_printf("tdb cnt\t\tbucket cnt\n");
485 for (i = 0; i < 16; i++)
486 if (buckets[i] > 0)
487 db_printf("%d%s\t\t%d\n", i, i == 15 ? "+" : "",
488 buckets[i]);
489 }
490 #endif /* DDB */
491
492 /*
493 * Caller is responsible for setting at least spltdb().
494 */
495 int
tdb_walk(int (* walker)(struct tdb *,void *,int),void * arg)496 tdb_walk(int (*walker)(struct tdb *, void *, int), void *arg)
497 {
498 int i, rval = 0;
499 struct tdb *tdbp, *next;
500
501 if (tdbh == NULL)
502 return ENOENT;
503
504 for (i = 0; i <= tdb_hashmask; i++)
505 for (tdbp = tdbh[i]; rval == 0 && tdbp != NULL; tdbp = next) {
506 next = tdbp->tdb_hnext;
507 if (i == tdb_hashmask && next == NULL)
508 rval = walker(tdbp, (void *)arg, 1);
509 else
510 rval = walker(tdbp, (void *)arg, 0);
511 }
512
513 return rval;
514 }
515
516 /*
517 * Called at splsoftclock().
518 */
519 void
tdb_timeout(void * v)520 tdb_timeout(void *v)
521 {
522 struct tdb *tdb = v;
523
524 if (!(tdb->tdb_flags & TDBF_TIMER))
525 return;
526
527 /* If it's an "invalid" TDB do a silent expiration. */
528 if (!(tdb->tdb_flags & TDBF_INVALID))
529 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD);
530 tdb_delete(tdb);
531 }
532
533 void
tdb_firstuse(void * v)534 tdb_firstuse(void *v)
535 {
536 struct tdb *tdb = v;
537
538 if (!(tdb->tdb_flags & TDBF_SOFT_FIRSTUSE))
539 return;
540
541 /* If the TDB hasn't been used, don't renew it. */
542 if (tdb->tdb_first_use != 0)
543 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD);
544 tdb_delete(tdb);
545 }
546
547 void
tdb_soft_timeout(void * v)548 tdb_soft_timeout(void *v)
549 {
550 struct tdb *tdb = v;
551
552 if (!(tdb->tdb_flags & TDBF_SOFT_TIMER))
553 return;
554
555 /* Soft expirations. */
556 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT);
557 tdb->tdb_flags &= ~TDBF_SOFT_TIMER;
558 }
559
560 void
tdb_soft_firstuse(void * v)561 tdb_soft_firstuse(void *v)
562 {
563 struct tdb *tdb = v;
564
565 if (!(tdb->tdb_flags & TDBF_SOFT_FIRSTUSE))
566 return;
567
568 /* If the TDB hasn't been used, don't renew it. */
569 if (tdb->tdb_first_use != 0)
570 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT);
571 tdb->tdb_flags &= ~TDBF_SOFT_FIRSTUSE;
572 }
573
574 /*
575 * Caller is responsible for spltdb().
576 */
577 void
tdb_rehash(void)578 tdb_rehash(void)
579 {
580 struct tdb **new_tdbh, **new_tdbaddr, **new_srcaddr, *tdbp, *tdbnp;
581 u_int i, old_hashmask = tdb_hashmask;
582 u_int32_t hashval;
583
584 tdb_hashmask = (tdb_hashmask << 1) | 1;
585
586 MALLOC(new_tdbh, struct tdb **,
587 sizeof(struct tdb *) * (tdb_hashmask + 1), M_TDB, M_WAITOK);
588 MALLOC(new_tdbaddr, struct tdb **,
589 sizeof(struct tdb *) * (tdb_hashmask + 1), M_TDB, M_WAITOK);
590 MALLOC(new_srcaddr, struct tdb **,
591 sizeof(struct tdb *) * (tdb_hashmask + 1), M_TDB, M_WAITOK);
592
593 bzero(new_tdbh, sizeof(struct tdb *) * (tdb_hashmask + 1));
594 bzero(new_tdbaddr, sizeof(struct tdb *) * (tdb_hashmask + 1));
595 bzero(new_srcaddr, sizeof(struct tdb *) * (tdb_hashmask + 1));
596
597 for (i = 0; i <= old_hashmask; i++) {
598 for (tdbp = tdbh[i]; tdbp != NULL; tdbp = tdbnp) {
599 tdbnp = tdbp->tdb_hnext;
600 hashval = tdb_hash(tdbp->tdb_spi, &tdbp->tdb_dst,
601 tdbp->tdb_sproto);
602 tdbp->tdb_hnext = new_tdbh[hashval];
603 new_tdbh[hashval] = tdbp;
604 }
605
606 for (tdbp = tdbaddr[i]; tdbp != NULL; tdbp = tdbnp) {
607 tdbnp = tdbp->tdb_anext;
608 hashval = tdb_hash(0, &tdbp->tdb_dst,
609 tdbp->tdb_sproto);
610 tdbp->tdb_anext = new_tdbaddr[hashval];
611 new_tdbaddr[hashval] = tdbp;
612 }
613
614 for (tdbp = tdbsrc[i]; tdbp != NULL; tdbp = tdbnp) {
615 tdbnp = tdbp->tdb_snext;
616 hashval = tdb_hash(0, &tdbp->tdb_src,
617 tdbp->tdb_sproto);
618 tdbp->tdb_snext = new_srcaddr[hashval];
619 new_srcaddr[hashval] = tdbp;
620 }
621 }
622
623 FREE(tdbh, M_TDB);
624 tdbh = new_tdbh;
625
626 FREE(tdbaddr, M_TDB);
627 tdbaddr = new_tdbaddr;
628
629 FREE(tdbsrc, M_TDB);
630 tdbsrc = new_srcaddr;
631 }
632
633 /*
634 * Add TDB in the hash table.
635 */
636 void
puttdb(struct tdb * tdbp)637 puttdb(struct tdb *tdbp)
638 {
639 u_int32_t hashval;
640 int s = spltdb();
641
642 if (tdbh == NULL) {
643 MALLOC(tdbh, struct tdb **,
644 sizeof(struct tdb *) * (tdb_hashmask + 1),
645 M_TDB, M_WAITOK);
646 MALLOC(tdbaddr, struct tdb **,
647 sizeof(struct tdb *) * (tdb_hashmask + 1),
648 M_TDB, M_WAITOK);
649 MALLOC(tdbsrc, struct tdb **,
650 sizeof(struct tdb *) * (tdb_hashmask + 1),
651 M_TDB, M_WAITOK);
652
653 bzero(tdbh, sizeof(struct tdb *) * (tdb_hashmask + 1));
654 bzero(tdbaddr, sizeof(struct tdb *) * (tdb_hashmask + 1));
655 bzero(tdbsrc, sizeof(struct tdb *) * (tdb_hashmask + 1));
656 }
657
658 hashval = tdb_hash(tdbp->tdb_spi, &tdbp->tdb_dst, tdbp->tdb_sproto);
659
660 /*
661 * Rehash if this tdb would cause a bucket to have more than
662 * two items and if the number of tdbs exceed 10% of the
663 * bucket count. This number is arbitratily chosen and is
664 * just a measure to not keep rehashing when adding and
665 * removing tdbs which happens to always end up in the same
666 * bucket, which is not uncommon when doing manual keying.
667 */
668 if (tdbh[hashval] != NULL && tdbh[hashval]->tdb_hnext != NULL &&
669 tdb_count * 10 > tdb_hashmask + 1) {
670 tdb_rehash();
671 hashval = tdb_hash(tdbp->tdb_spi, &tdbp->tdb_dst,
672 tdbp->tdb_sproto);
673 }
674
675 tdbp->tdb_hnext = tdbh[hashval];
676 tdbh[hashval] = tdbp;
677
678 hashval = tdb_hash(0, &tdbp->tdb_dst, tdbp->tdb_sproto);
679 tdbp->tdb_anext = tdbaddr[hashval];
680 tdbaddr[hashval] = tdbp;
681
682 hashval = tdb_hash(0, &tdbp->tdb_src, tdbp->tdb_sproto);
683 tdbp->tdb_snext = tdbsrc[hashval];
684 tdbsrc[hashval] = tdbp;
685
686 tdb_count++;
687
688 ipsec_last_added = time.tv_sec;
689
690 splx(s);
691 }
692
693 /*
694 * Caller is responsible to set at least spltdb().
695 */
696 void
tdb_delete(struct tdb * tdbp)697 tdb_delete(struct tdb *tdbp)
698 {
699 struct tdb *tdbpp;
700 u_int32_t hashval;
701 int s;
702
703 if (tdbh == NULL)
704 return;
705
706 hashval = tdb_hash(tdbp->tdb_spi, &tdbp->tdb_dst, tdbp->tdb_sproto);
707
708 s = spltdb();
709 if (tdbh[hashval] == tdbp) {
710 tdbpp = tdbp;
711 tdbh[hashval] = tdbp->tdb_hnext;
712 } else {
713 for (tdbpp = tdbh[hashval]; tdbpp != NULL;
714 tdbpp = tdbpp->tdb_hnext) {
715 if (tdbpp->tdb_hnext == tdbp) {
716 tdbpp->tdb_hnext = tdbp->tdb_hnext;
717 tdbpp = tdbp;
718 break;
719 }
720 }
721 }
722
723 tdbp->tdb_hnext = NULL;
724
725 hashval = tdb_hash(0, &tdbp->tdb_dst, tdbp->tdb_sproto);
726
727 if (tdbaddr[hashval] == tdbp) {
728 tdbpp = tdbp;
729 tdbaddr[hashval] = tdbp->tdb_anext;
730 } else {
731 for (tdbpp = tdbaddr[hashval]; tdbpp != NULL;
732 tdbpp = tdbpp->tdb_anext) {
733 if (tdbpp->tdb_anext == tdbp) {
734 tdbpp->tdb_anext = tdbp->tdb_anext;
735 tdbpp = tdbp;
736 break;
737 }
738 }
739 }
740
741 hashval = tdb_hash(0, &tdbp->tdb_src, tdbp->tdb_sproto);
742
743 if (tdbsrc[hashval] == tdbp) {
744 tdbpp = tdbp;
745 tdbsrc[hashval] = tdbp->tdb_snext;
746 }
747 else {
748 for (tdbpp = tdbsrc[hashval]; tdbpp != NULL;
749 tdbpp = tdbpp->tdb_snext) {
750 if (tdbpp->tdb_snext == tdbp) {
751 tdbpp->tdb_snext = tdbp->tdb_snext;
752 tdbpp = tdbp;
753 break;
754 }
755 }
756 }
757
758 tdbp->tdb_snext = NULL;
759 tdb_free(tdbp);
760 tdb_count--;
761
762 splx(s);
763 }
764
765 /*
766 * Allocate a TDB and initialize a few basic fields.
767 */
768 struct tdb *
tdb_alloc(void)769 tdb_alloc(void)
770 {
771 struct tdb *tdbp;
772
773 MALLOC(tdbp, struct tdb *, sizeof(struct tdb), M_TDB, M_WAITOK);
774 bzero((caddr_t) tdbp, sizeof(struct tdb));
775
776 /* Init Incoming SA-Binding Queues. */
777 TAILQ_INIT(&tdbp->tdb_inp_out);
778 TAILQ_INIT(&tdbp->tdb_inp_in);
779
780 TAILQ_INIT(&tdbp->tdb_policy_head);
781
782 /* Record establishment time. */
783 tdbp->tdb_established = time.tv_sec;
784
785 /* Initialize timeouts. */
786 timeout_set(&tdbp->tdb_timer_tmo, tdb_timeout, tdbp);
787 timeout_set(&tdbp->tdb_first_tmo, tdb_firstuse, tdbp);
788 timeout_set(&tdbp->tdb_stimer_tmo, tdb_soft_timeout, tdbp);
789 timeout_set(&tdbp->tdb_sfirst_tmo, tdb_soft_firstuse, tdbp);
790
791 return tdbp;
792 }
793
794 void
tdb_free(struct tdb * tdbp)795 tdb_free(struct tdb *tdbp)
796 {
797 struct ipsec_policy *ipo;
798 struct inpcb *inp;
799
800 if (tdbp->tdb_xform) {
801 (*(tdbp->tdb_xform->xf_zeroize))(tdbp);
802 tdbp->tdb_xform = NULL;
803 }
804
805 /* Cleanup inp references. */
806 for (inp = TAILQ_FIRST(&tdbp->tdb_inp_in); inp;
807 inp = TAILQ_FIRST(&tdbp->tdb_inp_in)) {
808 TAILQ_REMOVE(&tdbp->tdb_inp_in, inp, inp_tdb_in_next);
809 inp->inp_tdb_in = NULL;
810 }
811
812 for (inp = TAILQ_FIRST(&tdbp->tdb_inp_out); inp;
813 inp = TAILQ_FIRST(&tdbp->tdb_inp_out)) {
814 TAILQ_REMOVE(&tdbp->tdb_inp_out, inp, inp_tdb_out_next);
815 inp->inp_tdb_out = NULL;
816 }
817
818 /* Cleanup SPD references. */
819 for (ipo = TAILQ_FIRST(&tdbp->tdb_policy_head); ipo;
820 ipo = TAILQ_FIRST(&tdbp->tdb_policy_head)) {
821 TAILQ_REMOVE(&tdbp->tdb_policy_head, ipo, ipo_tdb_next);
822 ipo->ipo_tdb = NULL;
823 ipo->ipo_last_searched = 0; /* Force a re-search. */
824 }
825
826 /* Remove expiration timeouts. */
827 tdbp->tdb_flags &= ~(TDBF_FIRSTUSE | TDBF_SOFT_FIRSTUSE | TDBF_TIMER |
828 TDBF_SOFT_TIMER);
829 timeout_del(&tdbp->tdb_timer_tmo);
830 timeout_del(&tdbp->tdb_first_tmo);
831 timeout_del(&tdbp->tdb_stimer_tmo);
832 timeout_del(&tdbp->tdb_sfirst_tmo);
833
834 if (tdbp->tdb_local_auth) {
835 ipsp_reffree(tdbp->tdb_local_auth);
836 tdbp->tdb_local_auth = NULL;
837 }
838
839 if (tdbp->tdb_remote_auth) {
840 ipsp_reffree(tdbp->tdb_remote_auth);
841 tdbp->tdb_remote_auth = NULL;
842 }
843
844 if (tdbp->tdb_srcid) {
845 ipsp_reffree(tdbp->tdb_srcid);
846 tdbp->tdb_srcid = NULL;
847 }
848
849 if (tdbp->tdb_dstid) {
850 ipsp_reffree(tdbp->tdb_dstid);
851 tdbp->tdb_dstid = NULL;
852 }
853
854 if (tdbp->tdb_local_cred) {
855 ipsp_reffree(tdbp->tdb_local_cred);
856 tdbp->tdb_local_cred = NULL;
857 }
858
859 if (tdbp->tdb_remote_cred) {
860 ipsp_reffree(tdbp->tdb_remote_cred);
861 tdbp->tdb_remote_cred = NULL;
862 }
863
864 if ((tdbp->tdb_onext) && (tdbp->tdb_onext->tdb_inext == tdbp))
865 tdbp->tdb_onext->tdb_inext = NULL;
866
867 if ((tdbp->tdb_inext) && (tdbp->tdb_inext->tdb_onext == tdbp))
868 tdbp->tdb_inext->tdb_onext = NULL;
869
870 FREE(tdbp, M_TDB);
871 }
872
873 /*
874 * Do further initializations of a TDB.
875 */
876 int
tdb_init(struct tdb * tdbp,u_int16_t alg,struct ipsecinit * ii)877 tdb_init(struct tdb *tdbp, u_int16_t alg, struct ipsecinit *ii)
878 {
879 struct xformsw *xsp;
880 int err;
881
882 for (xsp = xformsw; xsp < xformswNXFORMSW; xsp++) {
883 if (xsp->xf_type == alg) {
884 err = (*(xsp->xf_init))(tdbp, xsp, ii);
885 return err;
886 }
887 }
888
889 DPRINTF(("tdb_init(): no alg %d for spi %08x, addr %s, proto %d\n",
890 alg, ntohl(tdbp->tdb_spi), ipsp_address(tdbp->tdb_dst),
891 tdbp->tdb_sproto));
892
893 return EINVAL;
894 }
895
896 /*
897 * Check which transformations are required.
898 */
899 u_int8_t
get_sa_require(struct inpcb * inp)900 get_sa_require(struct inpcb *inp)
901 {
902 u_int8_t sareq = 0;
903
904 if (inp != NULL) {
905 sareq |= inp->inp_seclevel[SL_AUTH] >= IPSEC_LEVEL_USE ?
906 NOTIFY_SATYPE_AUTH : 0;
907 sareq |= inp->inp_seclevel[SL_ESP_TRANS] >= IPSEC_LEVEL_USE ?
908 NOTIFY_SATYPE_CONF : 0;
909 sareq |= inp->inp_seclevel[SL_ESP_NETWORK] >= IPSEC_LEVEL_USE ?
910 NOTIFY_SATYPE_TUNNEL : 0;
911 } else {
912 sareq |= ipsec_auth_default_level >= IPSEC_LEVEL_USE ?
913 NOTIFY_SATYPE_AUTH : 0;
914 sareq |= ipsec_esp_trans_default_level >= IPSEC_LEVEL_USE ?
915 NOTIFY_SATYPE_CONF : 0;
916 sareq |= ipsec_esp_network_default_level >= IPSEC_LEVEL_USE ?
917 NOTIFY_SATYPE_TUNNEL : 0;
918 }
919
920 return (sareq);
921 }
922
923 /*
924 * Add an inpcb to the list of inpcb which reference this tdb directly.
925 */
926 void
tdb_add_inp(struct tdb * tdb,struct inpcb * inp,int inout)927 tdb_add_inp(struct tdb *tdb, struct inpcb *inp, int inout)
928 {
929 if (inout) {
930 if (inp->inp_tdb_in) {
931 if (inp->inp_tdb_in == tdb)
932 return;
933
934 TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in, inp,
935 inp_tdb_in_next);
936 }
937
938 inp->inp_tdb_in = tdb;
939 TAILQ_INSERT_TAIL(&tdb->tdb_inp_in, inp, inp_tdb_in_next);
940 } else {
941 if (inp->inp_tdb_out) {
942 if (inp->inp_tdb_out == tdb)
943 return;
944
945 TAILQ_REMOVE(&inp->inp_tdb_out->tdb_inp_out, inp,
946 inp_tdb_out_next);
947 }
948
949 inp->inp_tdb_out = tdb;
950 TAILQ_INSERT_TAIL(&tdb->tdb_inp_out, inp, inp_tdb_out_next);
951 }
952 }
953
954 /* Return a printable string for the IPv4 address. */
955 char *
inet_ntoa4(struct in_addr ina)956 inet_ntoa4(struct in_addr ina)
957 {
958 static char buf[4][4 * sizeof "123" + 4];
959 unsigned char *ucp = (unsigned char *) &ina;
960 static int i = 3;
961
962 i = (i + 1) % 4;
963 snprintf(buf[i], sizeof buf[0], "%d.%d.%d.%d",
964 ucp[0] & 0xff, ucp[1] & 0xff,
965 ucp[2] & 0xff, ucp[3] & 0xff);
966 return (buf[i]);
967 }
968
969 /* Return a printable string for the address. */
970 char *
ipsp_address(union sockaddr_union sa)971 ipsp_address(union sockaddr_union sa)
972 {
973 switch (sa.sa.sa_family) {
974 #if INET
975 case AF_INET:
976 return inet_ntoa4(sa.sin.sin_addr);
977 #endif /* INET */
978
979 #if INET6
980 case AF_INET6:
981 return ip6_sprintf(&sa.sin6.sin6_addr);
982 #endif /* INET6 */
983
984 default:
985 return "(unknown address family)";
986 }
987 }
988
989 /* Check whether an IP{4,6} address is unspecified. */
990 int
ipsp_is_unspecified(union sockaddr_union addr)991 ipsp_is_unspecified(union sockaddr_union addr)
992 {
993 switch (addr.sa.sa_family) {
994 #ifdef INET
995 case AF_INET:
996 if (addr.sin.sin_addr.s_addr == INADDR_ANY)
997 return 1;
998 else
999 return 0;
1000 #endif /* INET */
1001
1002 #ifdef INET6
1003 case AF_INET6:
1004 if (IN6_IS_ADDR_UNSPECIFIED(&addr.sin6.sin6_addr))
1005 return 1;
1006 else
1007 return 0;
1008 #endif /* INET6 */
1009
1010 case 0: /* No family set. */
1011 default:
1012 return 1;
1013 }
1014 }
1015
1016 /* Free reference-counted structure. */
1017 void
ipsp_reffree(struct ipsec_ref * ipr)1018 ipsp_reffree(struct ipsec_ref *ipr)
1019 {
1020 #ifdef DIAGNOSTIC
1021 if (ipr->ref_count <= 0)
1022 printf("ipsp_reffree: illegal reference count %d for "
1023 "object %p (len = %d, malloctype = %d)\n",
1024 ipr->ref_count, ipr, ipr->ref_len, ipr->ref_malloctype);
1025 #endif
1026 if (--ipr->ref_count <= 0)
1027 FREE(ipr, ipr->ref_malloctype);
1028 }
1029
1030 /* Mark a TDB as TDBF_SKIPCRYPTO. */
1031 void
ipsp_skipcrypto_mark(struct tdb_ident * tdbi)1032 ipsp_skipcrypto_mark(struct tdb_ident *tdbi)
1033 {
1034 struct tdb *tdb;
1035 int s = spltdb();
1036
1037 tdb = gettdb(tdbi->spi, &tdbi->dst, tdbi->proto);
1038 if (tdb != NULL) {
1039 tdb->tdb_flags |= TDBF_SKIPCRYPTO;
1040 tdb->tdb_last_marked = time.tv_sec;
1041 }
1042 splx(s);
1043 }
1044
1045 /* Unmark a TDB as TDBF_SKIPCRYPTO. */
1046 void
ipsp_skipcrypto_unmark(struct tdb_ident * tdbi)1047 ipsp_skipcrypto_unmark(struct tdb_ident *tdbi)
1048 {
1049 struct tdb *tdb;
1050 int s = spltdb();
1051
1052 tdb = gettdb(tdbi->spi, &tdbi->dst, tdbi->proto);
1053 if (tdb != NULL) {
1054 tdb->tdb_flags &= ~TDBF_SKIPCRYPTO;
1055 tdb->tdb_last_marked = time.tv_sec;
1056 }
1057 splx(s);
1058 }
1059
1060 /* Return true if the two structures match. */
1061 int
ipsp_ref_match(struct ipsec_ref * ref1,struct ipsec_ref * ref2)1062 ipsp_ref_match(struct ipsec_ref *ref1, struct ipsec_ref *ref2)
1063 {
1064 if (ref1->ref_type != ref2->ref_type ||
1065 ref1->ref_len != ref2->ref_len ||
1066 bcmp(ref1 + 1, ref2 + 1, ref1->ref_len))
1067 return 0;
1068
1069 return 1;
1070 }
1071
1072 #ifdef notyet
1073 /*
1074 * Go down a chain of IPv4/IPv6/ESP/AH/IPiP chains creating an tag for each
1075 * IPsec header encountered. The offset where the first header, as well
1076 * as its type are given to us.
1077 */
1078 struct m_tag *
ipsp_parse_headers(struct mbuf * m,int off,u_int8_t proto)1079 ipsp_parse_headers(struct mbuf *m, int off, u_int8_t proto)
1080 {
1081 int ipv4sa = 0, s, esphlen = 0, trail = 0, i;
1082 SLIST_HEAD(packet_tags, m_tag) tags;
1083 unsigned char lasteight[8];
1084 struct tdb_ident *tdbi;
1085 struct m_tag *mtag;
1086 struct tdb *tdb;
1087
1088 #ifdef INET
1089 struct ip iph;
1090 #endif /* INET */
1091
1092 #ifdef INET6
1093 struct in6_addr ip6_dst;
1094 #endif /* INET6 */
1095
1096 /* We have to start with a known network protocol. */
1097 if (proto != IPPROTO_IPV4 && proto != IPPROTO_IPV6)
1098 return NULL;
1099
1100 SLIST_INIT(&tags);
1101
1102 while (1) {
1103 switch (proto) {
1104 #ifdef INET
1105 case IPPROTO_IPV4: /* Also IPPROTO_IPIP */
1106 {
1107 /*
1108 * Save the IP header (we need both the
1109 * address and ip_hl).
1110 */
1111 m_copydata(m, off, sizeof(struct ip), (caddr_t) &iph);
1112 ipv4sa = 1;
1113 proto = iph.ip_p;
1114 off += iph.ip_hl << 2;
1115 break;
1116 }
1117 #endif /* INET */
1118
1119 #ifdef INET6
1120 case IPPROTO_IPV6:
1121 {
1122 int nxtp, l;
1123
1124 /* Copy the IPv6 address. */
1125 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst),
1126 sizeof(struct ip6_hdr), (caddr_t) &ip6_dst);
1127 ipv4sa = 0;
1128
1129 /*
1130 * Go down the chain of headers until we encounter a
1131 * non-option.
1132 */
1133 for (l = ip6_nexthdr(m, off, proto, &nxtp); l != -1;
1134 l = ip6_nexthdr(m, off, proto, &nxtp)) {
1135 off += l;
1136 proto = nxtp;
1137
1138 /* Construct a tag. */
1139 if (nxtp == IPPROTO_AH) {
1140 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_CRYPTO_DONE,
1141 sizeof(struct tdb_ident),
1142 M_NOWAIT);
1143
1144 if (mtag == NULL)
1145 return SLIST_FIRST(&tags);
1146
1147 tdbi = (struct tdb_ident *) (mtag + 1);
1148 bzero(tdbi, sizeof(struct tdb_ident));
1149
1150 m_copydata(m, off + sizeof(u_int32_t),
1151 sizeof(u_int32_t),
1152 (caddr_t) &tdbi->spi);
1153
1154 tdbi->proto = IPPROTO_AH;
1155 tdbi->dst.sin6.sin6_family = AF_INET6;
1156 tdbi->dst.sin6.sin6_len =
1157 sizeof(struct sockaddr_in6);
1158 tdbi->dst.sin6.sin6_addr = ip6_dst;
1159 SLIST_INSERT_HEAD(&tags,
1160 mtag, m_tag_link);
1161 }
1162 else
1163 if (nxtp == IPPROTO_IPV6)
1164 m_copydata(m, off +
1165 offsetof(struct ip6_hdr,
1166 ip6_dst),
1167 sizeof(struct ip6_hdr),
1168 (caddr_t) &ip6_dst);
1169 }
1170 break;
1171 }
1172 #endif /* INET6 */
1173
1174 case IPPROTO_ESP:
1175 /* Verify that this has been decrypted. */
1176 {
1177 union sockaddr_union su;
1178 u_int32_t spi;
1179
1180 m_copydata(m, off, sizeof(u_int32_t), (caddr_t) &spi);
1181 bzero(&su, sizeof(union sockaddr_union));
1182
1183 s = spltdb();
1184
1185 #ifdef INET
1186 if (ipv4sa) {
1187 su.sin.sin_family = AF_INET;
1188 su.sin.sin_len = sizeof(struct sockaddr_in);
1189 su.sin.sin_addr = iph.ip_dst;
1190 }
1191 #endif /* INET */
1192
1193 #ifdef INET6
1194 if (!ipv4sa) {
1195 su.sin6.sin6_family = AF_INET6;
1196 su.sin6.sin6_len = sizeof(struct sockaddr_in6);
1197 su.sin6.sin6_addr = ip6_dst;
1198 }
1199 #endif /* INET6 */
1200
1201 tdb = gettdb(spi, &su, IPPROTO_ESP);
1202 if (tdb == NULL) {
1203 splx(s);
1204 return SLIST_FIRST(&tags);
1205 }
1206
1207 /* How large is the ESP header ? We use this later. */
1208 if (tdb->tdb_flags & TDBF_NOREPLAY)
1209 esphlen = sizeof(u_int32_t) + tdb->tdb_ivlen;
1210 else
1211 esphlen = 2 * sizeof(u_int32_t) +
1212 tdb->tdb_ivlen;
1213
1214 /*
1215 * Verify decryption. If the SA is using
1216 * random padding (as the "old" ESP SAs were
1217 * bound to do, there's nothing we can do to
1218 * see if the payload has been decrypted.
1219 */
1220 if (tdb->tdb_flags & TDBF_RANDOMPADDING) {
1221 splx(s);
1222 return SLIST_FIRST(&tags);
1223 }
1224
1225 /* Update the length of trailing ESP authenticators. */
1226 if (tdb->tdb_authalgxform)
1227 trail += AH_HMAC_HASHLEN;
1228
1229 splx(s);
1230
1231 /* Copy the last 10 bytes. */
1232 m_copydata(m, m->m_pkthdr.len - trail - 8, 8,
1233 lasteight);
1234
1235 /* Verify the self-describing padding values. */
1236 if (lasteight[6] != 0) {
1237 if (lasteight[6] != lasteight[5])
1238 return SLIST_FIRST(&tags);
1239
1240 for (i = 4; lasteight[i + 1] != 1 && i >= 0;
1241 i--)
1242 if (lasteight[i + 1] !=
1243 lasteight[i] + 1)
1244 return SLIST_FIRST(&tags);
1245 }
1246 }
1247 /* Fall through. */
1248 case IPPROTO_AH:
1249 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_CRYPTO_DONE,
1250 sizeof(struct tdb_ident), M_NOWAIT);
1251 if (mtag == NULL)
1252 return SLIST_FIRST(&tags);
1253
1254 tdbi = (struct tdb_ident *) (mtag + 1);
1255 bzero(tdbi, sizeof(struct tdb_ident));
1256
1257 /* Get SPI off the relevant header. */
1258 if (proto == IPPROTO_AH)
1259 m_copydata(m, off + sizeof(u_int32_t),
1260 sizeof(u_int32_t), (caddr_t) &tdbi->spi);
1261 else /* IPPROTO_ESP */
1262 m_copydata(m, off, sizeof(u_int32_t),
1263 (caddr_t) &tdbi->spi);
1264
1265 tdbi->proto = proto; /* AH or ESP */
1266
1267 #ifdef INET
1268 /* Last network header was IPv4. */
1269 if (ipv4sa) {
1270 tdbi->dst.sin.sin_family = AF_INET;
1271 tdbi->dst.sin.sin_len =
1272 sizeof(struct sockaddr_in);
1273 tdbi->dst.sin.sin_addr = iph.ip_dst;
1274 }
1275 #endif /* INET */
1276
1277 #ifdef INET6
1278 /* Last network header was IPv6. */
1279 if (!ipv4sa) {
1280 tdbi->dst.sin6.sin6_family = AF_INET6;
1281 tdbi->dst.sin6.sin6_len =
1282 sizeof(struct sockaddr_in6);
1283 tdbi->dst.sin6.sin6_addr = ip6_dst;
1284 }
1285 #endif /* INET6 */
1286
1287 SLIST_INSERT_HEAD(&tags, mtag, m_tag_link);
1288
1289 /* Update next protocol/header and header offset. */
1290 if (proto == IPPROTO_AH) {
1291 u_int8_t foo[2];
1292
1293 m_copydata(m, off, 2 * sizeof(u_int8_t), foo);
1294 proto = foo[0];
1295 off += (foo[1] + 2) << 2;
1296 } else {/* IPPROTO_ESP */
1297 /* Initialized in IPPROTO_ESP case. */
1298 off += esphlen;
1299 proto = lasteight[7];
1300 }
1301 break;
1302
1303 default:
1304 return SLIST_FIRST(&tags); /* We're done. */
1305 }
1306 }
1307 }
1308 #endif /* notyet */
1309