ipsec.c revision 180636
1/*	$FreeBSD: head/sys/netipsec/ipsec.c 180636 2008-07-20 17:51:58Z trhodes $	*/
2/*	$KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $	*/
3
4/*-
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 *    notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 *    notice, this list of conditions and the following disclaimer in the
15 *    documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 *    may be used to endorse or promote products derived from this software
18 *    without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33/*
34 * IPsec controller part.
35 */
36
37#include "opt_inet.h"
38#include "opt_inet6.h"
39#include "opt_ipsec.h"
40
41#include <sys/param.h>
42#include <sys/systm.h>
43#include <sys/malloc.h>
44#include <sys/mbuf.h>
45#include <sys/domain.h>
46#include <sys/priv.h>
47#include <sys/protosw.h>
48#include <sys/socket.h>
49#include <sys/socketvar.h>
50#include <sys/errno.h>
51#include <sys/time.h>
52#include <sys/kernel.h>
53#include <sys/syslog.h>
54#include <sys/sysctl.h>
55#include <sys/proc.h>
56
57#include <net/if.h>
58#include <net/route.h>
59
60#include <netinet/in.h>
61#include <netinet/in_systm.h>
62#include <netinet/ip.h>
63#include <netinet/ip_var.h>
64#include <netinet/in_var.h>
65#include <netinet/udp.h>
66#include <netinet/udp_var.h>
67#include <netinet/tcp.h>
68#include <netinet/udp.h>
69
70#include <netinet/ip6.h>
71#ifdef INET6
72#include <netinet6/ip6_var.h>
73#endif
74#include <netinet/in_pcb.h>
75#ifdef INET6
76#include <netinet/icmp6.h>
77#endif
78
79#include <sys/types.h>
80#include <netipsec/ipsec.h>
81#ifdef INET6
82#include <netipsec/ipsec6.h>
83#endif
84#include <netipsec/ah_var.h>
85#include <netipsec/esp_var.h>
86#include <netipsec/ipcomp.h>		/*XXX*/
87#include <netipsec/ipcomp_var.h>
88
89#include <netipsec/key.h>
90#include <netipsec/keydb.h>
91#include <netipsec/key_debug.h>
92
93#include <netipsec/xform.h>
94
95#include <machine/in_cksum.h>
96
97#include <opencrypto/cryptodev.h>
98
99#ifdef IPSEC_DEBUG
100int ipsec_debug = 1;
101#else
102int ipsec_debug = 0;
103#endif
104
105/* NB: name changed so netstat doesn't use it */
106struct ipsecstat ipsec4stat;
107int ip4_ah_offsetmask = 0;	/* maybe IP_DF? */
108int ip4_ipsec_dfbit = 0;	/* DF bit on encap. 0: clear 1: set 2: copy */
109int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
110int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
111int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
112int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
113struct secpolicy ip4_def_policy;
114int ip4_ipsec_ecn = 0;		/* ECN ignore(-1)/forbidden(0)/allowed(1) */
115int ip4_esp_randpad = -1;
116/*
117 * Crypto support requirements:
118 *
119 *  1	require hardware support
120 * -1	require software support
121 *  0	take anything
122 */
123int	crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE;
124
125SYSCTL_DECL(_net_inet_ipsec);
126
127/* net.inet.ipsec */
128SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY,
129	def_policy, CTLFLAG_RW,	&ip4_def_policy.policy,	0, "IPsec default policy.");
130SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
131	CTLFLAG_RW, &ip4_esp_trans_deflev,	0, "Default ESP transport mode level");
132SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
133	CTLFLAG_RW, &ip4_esp_net_deflev,	0, "Default ESP tunnel mode level.");
134SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
135	CTLFLAG_RW, &ip4_ah_trans_deflev,	0, "AH transfer mode default level.");
136SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
137	CTLFLAG_RW, &ip4_ah_net_deflev,	0, "AH tunnel mode default level.");
138SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
139	ah_cleartos, CTLFLAG_RW,	&ah_cleartos,	0,
140	"If set clear type-of-service field when doing AH computation.");
141SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
142	ah_offsetmask, CTLFLAG_RW,	&ip4_ah_offsetmask,	0,
143	"If not set clear offset field mask when doing AH computation.");
144SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT,
145	dfbit, CTLFLAG_RW,	&ip4_ipsec_dfbit,	0, "Do not fragment bit on encap.");
146SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN,
147	ecn, CTLFLAG_RW,	&ip4_ipsec_ecn,	0, "Explicit Congestion Notification handling.");
148SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG,
149	debug, CTLFLAG_RW,	&ipsec_debug,	0, "Enable IPsec debugging output when set.");
150SYSCTL_INT(_net_inet_ipsec, OID_AUTO,
151	crypto_support,	CTLFLAG_RW,	&crypto_support,0, "Crypto driver selection.");
152SYSCTL_STRUCT(_net_inet_ipsec, OID_AUTO,
153	ipsecstats,	CTLFLAG_RD,	&ipsec4stat, ipsecstat, "IPsec IPv4 statistics.");
154
155#ifdef REGRESSION
156/*
157 * When set to 1, IPsec will send packets with the same sequence number.
158 * This allows to verify if the other side has proper replay attacks detection.
159 */
160int ipsec_replay = 0;
161SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_replay, CTLFLAG_RW, &ipsec_replay, 0,
162    "Emulate replay attack");
163/*
164 * When set 1, IPsec will send packets with corrupted HMAC.
165 * This allows to verify if the other side properly detects modified packets.
166 */
167int ipsec_integrity = 0;
168SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_integrity, CTLFLAG_RW,
169    &ipsec_integrity, 0, "Emulate man-in-the-middle attack");
170#endif
171
172#ifdef INET6
173struct ipsecstat ipsec6stat;
174int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
175int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
176int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
177int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
178int ip6_ipsec_ecn = 0;		/* ECN ignore(-1)/forbidden(0)/allowed(1) */
179
180SYSCTL_DECL(_net_inet6_ipsec6);
181
182/* net.inet6.ipsec6 */
183#ifdef COMPAT_KAME
184SYSCTL_OID(_net_inet6_ipsec6, IPSECCTL_STATS, stats, CTLFLAG_RD,
185	0,0, compat_ipsecstats_sysctl, "S", "IPsec IPv6 statistics.");
186#endif /* COMPAT_KAME */
187SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
188	def_policy, CTLFLAG_RW,	&ip4_def_policy.policy,	0, "IPsec default policy.");
189SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
190	CTLFLAG_RW, &ip6_esp_trans_deflev,	0, "Default ESP transport mode level.");
191SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
192	CTLFLAG_RW, &ip6_esp_net_deflev,	0, "Default ESP tunnel mode level.");
193SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
194	CTLFLAG_RW, &ip6_ah_trans_deflev,	0, "AH transfer mode default level.");
195SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
196	CTLFLAG_RW, &ip6_ah_net_deflev,	0, "AH tunnel mode default level.");
197SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
198	ecn, CTLFLAG_RW,	&ip6_ipsec_ecn,	0,
199	"Explicit Congestion Notification handling.");
200SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG,
201	debug, CTLFLAG_RW,	&ipsec_debug,	0, "Enable IPsec debugging output when set.");
202SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
203	ipsecstats, CTLFLAG_RD, &ipsec6stat, ipsecstat, "IPsec IPv6 statistics.");
204#endif /* INET6 */
205
206static int ipsec4_setspidx_inpcb __P((struct mbuf *, struct inpcb *pcb));
207#ifdef INET6
208static int ipsec6_setspidx_in6pcb __P((struct mbuf *, struct in6pcb *pcb));
209#endif
210static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int));
211static void ipsec4_get_ulp __P((struct mbuf *m, struct secpolicyindex *, int));
212static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
213#ifdef INET6
214static void ipsec6_get_ulp __P((struct mbuf *m, struct secpolicyindex *, int));
215static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
216#endif
217static void ipsec_delpcbpolicy __P((struct inpcbpolicy *));
218static struct secpolicy *ipsec_deepcopy_policy __P((struct secpolicy *src));
219static int ipsec_set_policy __P((struct secpolicy **pcb_sp,
220	int optname, caddr_t request, size_t len, struct ucred *cred));
221static int ipsec_get_policy __P((struct secpolicy *pcb_sp, struct mbuf **mp));
222static void vshiftl __P((unsigned char *, int, int));
223static size_t ipsec_hdrsiz __P((struct secpolicy *));
224
225MALLOC_DEFINE(M_IPSEC_INPCB, "inpcbpolicy", "inpcb-resident ipsec policy");
226
227/*
228 * Return a held reference to the default SP.
229 */
230static struct secpolicy *
231key_allocsp_default(const char* where, int tag)
232{
233	struct secpolicy *sp;
234
235	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
236		printf("DP key_allocsp_default from %s:%u\n", where, tag));
237
238	sp = &ip4_def_policy;
239	if (sp->policy != IPSEC_POLICY_DISCARD &&
240	    sp->policy != IPSEC_POLICY_NONE) {
241		ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n",
242		    sp->policy, IPSEC_POLICY_NONE));
243		sp->policy = IPSEC_POLICY_NONE;
244	}
245	key_addref(sp);
246
247	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
248		printf("DP key_allocsp_default returns SP:%p (%u)\n",
249			sp, sp->refcnt));
250	return sp;
251}
252#define	KEY_ALLOCSP_DEFAULT() \
253	key_allocsp_default(__FILE__, __LINE__)
254
255/*
256 * For OUTBOUND packet having a socket. Searching SPD for packet,
257 * and return a pointer to SP.
258 * OUT:	NULL:	no apropreate SP found, the following value is set to error.
259 *		0	: bypass
260 *		EACCES	: discard packet.
261 *		ENOENT	: ipsec_acquire() in progress, maybe.
262 *		others	: error occured.
263 *	others:	a pointer to SP
264 *
265 * NOTE: IPv6 mapped adddress concern is implemented here.
266 */
267struct secpolicy *
268ipsec_getpolicy(struct tdb_ident *tdbi, u_int dir)
269{
270	struct secpolicy *sp;
271
272	IPSEC_ASSERT(tdbi != NULL, ("null tdbi"));
273	IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
274		("invalid direction %u", dir));
275
276	sp = KEY_ALLOCSP2(tdbi->spi, &tdbi->dst, tdbi->proto, dir);
277	if (sp == NULL)			/*XXX????*/
278		sp = KEY_ALLOCSP_DEFAULT();
279	IPSEC_ASSERT(sp != NULL, ("null SP"));
280	return sp;
281}
282
283/*
284 * For OUTBOUND packet having a socket. Searching SPD for packet,
285 * and return a pointer to SP.
286 * OUT:	NULL:	no apropreate SP found, the following value is set to error.
287 *		0	: bypass
288 *		EACCES	: discard packet.
289 *		ENOENT	: ipsec_acquire() in progress, maybe.
290 *		others	: error occured.
291 *	others:	a pointer to SP
292 *
293 * NOTE: IPv6 mapped adddress concern is implemented here.
294 */
295struct secpolicy *
296ipsec_getpolicybysock(m, dir, inp, error)
297	struct mbuf *m;
298	u_int dir;
299	struct inpcb *inp;
300	int *error;
301{
302	struct inpcbpolicy *pcbsp = NULL;
303	struct secpolicy *currsp = NULL;	/* policy on socket */
304	struct secpolicy *sp;
305
306	IPSEC_ASSERT(m != NULL, ("null mbuf"));
307	IPSEC_ASSERT(inp != NULL, ("null inpcb"));
308	IPSEC_ASSERT(error != NULL, ("null error"));
309	IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
310		("invalid direction %u", dir));
311
312	/* set spidx in pcb */
313	if (inp->inp_vflag & INP_IPV6PROTO) {
314#ifdef INET6
315		*error = ipsec6_setspidx_in6pcb(m, inp);
316		pcbsp = inp->in6p_sp;
317#else
318		*error = EINVAL;		/* should not happen */
319#endif
320	} else {
321		*error = ipsec4_setspidx_inpcb(m, inp);
322		pcbsp = inp->inp_sp;
323	}
324	if (*error)
325		return NULL;
326
327	IPSEC_ASSERT(pcbsp != NULL, ("null pcbsp"));
328	switch (dir) {
329	case IPSEC_DIR_INBOUND:
330		currsp = pcbsp->sp_in;
331		break;
332	case IPSEC_DIR_OUTBOUND:
333		currsp = pcbsp->sp_out;
334		break;
335	}
336	IPSEC_ASSERT(currsp != NULL, ("null currsp"));
337
338	if (pcbsp->priv) {			/* when privilieged socket */
339		switch (currsp->policy) {
340		case IPSEC_POLICY_BYPASS:
341		case IPSEC_POLICY_IPSEC:
342			key_addref(currsp);
343			sp = currsp;
344			break;
345
346		case IPSEC_POLICY_ENTRUST:
347			/* look for a policy in SPD */
348			sp = KEY_ALLOCSP(&currsp->spidx, dir);
349			if (sp == NULL)		/* no SP found */
350				sp = KEY_ALLOCSP_DEFAULT();
351			break;
352
353		default:
354			ipseclog((LOG_ERR, "%s: Invalid policy for PCB %d\n",
355				__func__, currsp->policy));
356			*error = EINVAL;
357			return NULL;
358		}
359	} else {				/* unpriv, SPD has policy */
360		sp = KEY_ALLOCSP(&currsp->spidx, dir);
361		if (sp == NULL) {		/* no SP found */
362			switch (currsp->policy) {
363			case IPSEC_POLICY_BYPASS:
364				ipseclog((LOG_ERR, "%s: Illegal policy for "
365					"non-priviliged defined %d\n",
366					__func__, currsp->policy));
367				*error = EINVAL;
368				return NULL;
369
370			case IPSEC_POLICY_ENTRUST:
371				sp = KEY_ALLOCSP_DEFAULT();
372				break;
373
374			case IPSEC_POLICY_IPSEC:
375				key_addref(currsp);
376				sp = currsp;
377				break;
378
379			default:
380				ipseclog((LOG_ERR, "%s: Invalid policy for "
381					"PCB %d\n", __func__, currsp->policy));
382				*error = EINVAL;
383				return NULL;
384			}
385		}
386	}
387	IPSEC_ASSERT(sp != NULL,
388		("null SP (priv %u policy %u", pcbsp->priv, currsp->policy));
389	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
390		printf("DP %s (priv %u policy %u) allocate SP:%p (refcnt %u)\n",
391			__func__, pcbsp->priv, currsp->policy, sp, sp->refcnt));
392	return sp;
393}
394
395/*
396 * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
397 * and return a pointer to SP.
398 * OUT:	positive: a pointer to the entry for security policy leaf matched.
399 *	NULL:	no apropreate SP found, the following value is set to error.
400 *		0	: bypass
401 *		EACCES	: discard packet.
402 *		ENOENT	: ipsec_acquire() in progress, maybe.
403 *		others	: error occured.
404 */
405struct secpolicy *
406ipsec_getpolicybyaddr(m, dir, flag, error)
407	struct mbuf *m;
408	u_int dir;
409	int flag;
410	int *error;
411{
412	struct secpolicyindex spidx;
413	struct secpolicy *sp;
414
415	IPSEC_ASSERT(m != NULL, ("null mbuf"));
416	IPSEC_ASSERT(error != NULL, ("null error"));
417	IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
418		("invalid direction %u", dir));
419
420	sp = NULL;
421	if (key_havesp(dir)) {
422		/* Make an index to look for a policy. */
423		*error = ipsec_setspidx(m, &spidx,
424					(flag & IP_FORWARDING) ? 0 : 1);
425		if (*error != 0) {
426			DPRINTF(("%s: setpidx failed, dir %u flag %u\n",
427				__func__, dir, flag));
428			return NULL;
429		}
430		spidx.dir = dir;
431
432		sp = KEY_ALLOCSP(&spidx, dir);
433	}
434	if (sp == NULL)			/* no SP found, use system default */
435		sp = KEY_ALLOCSP_DEFAULT();
436	IPSEC_ASSERT(sp != NULL, ("null SP"));
437	return sp;
438}
439
440struct secpolicy *
441ipsec4_checkpolicy(m, dir, flag, error, inp)
442	struct mbuf *m;
443	u_int dir, flag;
444	int *error;
445	struct inpcb *inp;
446{
447	struct secpolicy *sp;
448
449	*error = 0;
450	if (inp == NULL)
451		sp = ipsec_getpolicybyaddr(m, dir, flag, error);
452	else
453		sp = ipsec_getpolicybysock(m, dir, inp, error);
454	if (sp == NULL) {
455		IPSEC_ASSERT(*error != 0, ("getpolicy failed w/o error"));
456		ipsec4stat.ips_out_inval++;
457		return NULL;
458	}
459	IPSEC_ASSERT(*error == 0, ("sp w/ error set to %u", *error));
460	switch (sp->policy) {
461	case IPSEC_POLICY_ENTRUST:
462	default:
463		printf("%s: invalid policy %u\n", __func__, sp->policy);
464		/* fall thru... */
465	case IPSEC_POLICY_DISCARD:
466		ipsec4stat.ips_out_polvio++;
467		*error = -EINVAL;	/* packet is discarded by caller */
468		break;
469	case IPSEC_POLICY_BYPASS:
470	case IPSEC_POLICY_NONE:
471		KEY_FREESP(&sp);
472		sp = NULL;		/* NB: force NULL result */
473		break;
474	case IPSEC_POLICY_IPSEC:
475		if (sp->req == NULL)	/* acquire an SA */
476			*error = key_spdacquire(sp);
477		break;
478	}
479	if (*error != 0) {
480		KEY_FREESP(&sp);
481		sp = NULL;
482	}
483	return sp;
484}
485
486static int
487ipsec4_setspidx_inpcb(m, pcb)
488	struct mbuf *m;
489	struct inpcb *pcb;
490{
491	int error;
492
493	IPSEC_ASSERT(pcb != NULL, ("null pcb"));
494	IPSEC_ASSERT(pcb->inp_sp != NULL, ("null inp_sp"));
495	IPSEC_ASSERT(pcb->inp_sp->sp_out != NULL && pcb->inp_sp->sp_in != NULL,
496		("null sp_in || sp_out"));
497
498	error = ipsec_setspidx(m, &pcb->inp_sp->sp_in->spidx, 1);
499	if (error == 0) {
500		pcb->inp_sp->sp_in->spidx.dir = IPSEC_DIR_INBOUND;
501		pcb->inp_sp->sp_out->spidx = pcb->inp_sp->sp_in->spidx;
502		pcb->inp_sp->sp_out->spidx.dir = IPSEC_DIR_OUTBOUND;
503	} else {
504		bzero(&pcb->inp_sp->sp_in->spidx,
505			sizeof (pcb->inp_sp->sp_in->spidx));
506		bzero(&pcb->inp_sp->sp_out->spidx,
507			sizeof (pcb->inp_sp->sp_in->spidx));
508	}
509	return error;
510}
511
512#ifdef INET6
513static int
514ipsec6_setspidx_in6pcb(m, pcb)
515	struct mbuf *m;
516	struct in6pcb *pcb;
517{
518	struct secpolicyindex *spidx;
519	int error;
520
521	IPSEC_ASSERT(pcb != NULL, ("null pcb"));
522	IPSEC_ASSERT(pcb->in6p_sp != NULL, ("null inp_sp"));
523	IPSEC_ASSERT(pcb->in6p_sp->sp_out != NULL && pcb->in6p_sp->sp_in != NULL,
524		("null sp_in || sp_out"));
525
526	bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
527	bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
528
529	spidx = &pcb->in6p_sp->sp_in->spidx;
530	error = ipsec_setspidx(m, spidx, 1);
531	if (error)
532		goto bad;
533	spidx->dir = IPSEC_DIR_INBOUND;
534
535	spidx = &pcb->in6p_sp->sp_out->spidx;
536	error = ipsec_setspidx(m, spidx, 1);
537	if (error)
538		goto bad;
539	spidx->dir = IPSEC_DIR_OUTBOUND;
540
541	return 0;
542
543bad:
544	bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
545	bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
546	return error;
547}
548#endif
549
550/*
551 * configure security policy index (src/dst/proto/sport/dport)
552 * by looking at the content of mbuf.
553 * the caller is responsible for error recovery (like clearing up spidx).
554 */
555static int
556ipsec_setspidx(m, spidx, needport)
557	struct mbuf *m;
558	struct secpolicyindex *spidx;
559	int needport;
560{
561	struct ip *ip = NULL;
562	struct ip ipbuf;
563	u_int v;
564	struct mbuf *n;
565	int len;
566	int error;
567
568	IPSEC_ASSERT(m != NULL, ("null mbuf"));
569
570	/*
571	 * validate m->m_pkthdr.len.  we see incorrect length if we
572	 * mistakenly call this function with inconsistent mbuf chain
573	 * (like 4.4BSD tcp/udp processing).  XXX should we panic here?
574	 */
575	len = 0;
576	for (n = m; n; n = n->m_next)
577		len += n->m_len;
578	if (m->m_pkthdr.len != len) {
579		KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
580			printf("%s: pkthdr len(%d) mismatch (%d), ignored.\n",
581				__func__, len, m->m_pkthdr.len));
582		return EINVAL;
583	}
584
585	if (m->m_pkthdr.len < sizeof(struct ip)) {
586		KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
587			printf("%s: pkthdr len(%d) too small (v4), ignored.\n",
588			    __func__, m->m_pkthdr.len));
589		return EINVAL;
590	}
591
592	if (m->m_len >= sizeof(*ip))
593		ip = mtod(m, struct ip *);
594	else {
595		m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
596		ip = &ipbuf;
597	}
598#ifdef _IP_VHL
599	v = _IP_VHL_V(ip->ip_vhl);
600#else
601	v = ip->ip_v;
602#endif
603	switch (v) {
604	case 4:
605		error = ipsec4_setspidx_ipaddr(m, spidx);
606		if (error)
607			return error;
608		ipsec4_get_ulp(m, spidx, needport);
609		return 0;
610#ifdef INET6
611	case 6:
612		if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
613			KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
614				printf("%s: pkthdr len(%d) too small (v6), "
615				"ignored\n", __func__, m->m_pkthdr.len));
616			return EINVAL;
617		}
618		error = ipsec6_setspidx_ipaddr(m, spidx);
619		if (error)
620			return error;
621		ipsec6_get_ulp(m, spidx, needport);
622		return 0;
623#endif
624	default:
625		KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
626			printf("%s: " "unknown IP version %u, ignored.\n",
627				__func__, v));
628		return EINVAL;
629	}
630}
631
632static void
633ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
634{
635	u_int8_t nxt;
636	int off;
637
638	/* sanity check */
639	IPSEC_ASSERT(m != NULL, ("null mbuf"));
640	IPSEC_ASSERT(m->m_pkthdr.len >= sizeof(struct ip),("packet too short"));
641
642	/* NB: ip_input() flips it into host endian XXX need more checking */
643	if (m->m_len < sizeof (struct ip)) {
644		struct ip *ip = mtod(m, struct ip *);
645		if (ip->ip_off & (IP_MF | IP_OFFMASK))
646			goto done;
647#ifdef _IP_VHL
648		off = _IP_VHL_HL(ip->ip_vhl) << 2;
649#else
650		off = ip->ip_hl << 2;
651#endif
652		nxt = ip->ip_p;
653	} else {
654		struct ip ih;
655
656		m_copydata(m, 0, sizeof (struct ip), (caddr_t) &ih);
657		if (ih.ip_off & (IP_MF | IP_OFFMASK))
658			goto done;
659#ifdef _IP_VHL
660		off = _IP_VHL_HL(ih.ip_vhl) << 2;
661#else
662		off = ih.ip_hl << 2;
663#endif
664		nxt = ih.ip_p;
665	}
666
667	while (off < m->m_pkthdr.len) {
668		struct ip6_ext ip6e;
669		struct tcphdr th;
670		struct udphdr uh;
671
672		switch (nxt) {
673		case IPPROTO_TCP:
674			spidx->ul_proto = nxt;
675			if (!needport)
676				goto done_proto;
677			if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
678				goto done;
679			m_copydata(m, off, sizeof (th), (caddr_t) &th);
680			spidx->src.sin.sin_port = th.th_sport;
681			spidx->dst.sin.sin_port = th.th_dport;
682			return;
683		case IPPROTO_UDP:
684			spidx->ul_proto = nxt;
685			if (!needport)
686				goto done_proto;
687			if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
688				goto done;
689			m_copydata(m, off, sizeof (uh), (caddr_t) &uh);
690			spidx->src.sin.sin_port = uh.uh_sport;
691			spidx->dst.sin.sin_port = uh.uh_dport;
692			return;
693		case IPPROTO_AH:
694			if (off + sizeof(ip6e) > m->m_pkthdr.len)
695				goto done;
696			/* XXX sigh, this works but is totally bogus */
697			m_copydata(m, off, sizeof(ip6e), (caddr_t) &ip6e);
698			off += (ip6e.ip6e_len + 2) << 2;
699			nxt = ip6e.ip6e_nxt;
700			break;
701		case IPPROTO_ICMP:
702		default:
703			/* XXX intermediate headers??? */
704			spidx->ul_proto = nxt;
705			goto done_proto;
706		}
707	}
708done:
709	spidx->ul_proto = IPSEC_ULPROTO_ANY;
710done_proto:
711	spidx->src.sin.sin_port = IPSEC_PORT_ANY;
712	spidx->dst.sin.sin_port = IPSEC_PORT_ANY;
713}
714
715/* assumes that m is sane */
716static int
717ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
718{
719	static const struct sockaddr_in template = {
720		sizeof (struct sockaddr_in),
721		AF_INET,
722		0, { 0 }, { 0, 0, 0, 0, 0, 0, 0, 0 }
723	};
724
725	spidx->src.sin = template;
726	spidx->dst.sin = template;
727
728	if (m->m_len < sizeof (struct ip)) {
729		m_copydata(m, offsetof(struct ip, ip_src),
730			   sizeof (struct  in_addr),
731			   (caddr_t) &spidx->src.sin.sin_addr);
732		m_copydata(m, offsetof(struct ip, ip_dst),
733			   sizeof (struct  in_addr),
734			   (caddr_t) &spidx->dst.sin.sin_addr);
735	} else {
736		struct ip *ip = mtod(m, struct ip *);
737		spidx->src.sin.sin_addr = ip->ip_src;
738		spidx->dst.sin.sin_addr = ip->ip_dst;
739	}
740
741	spidx->prefs = sizeof(struct in_addr) << 3;
742	spidx->prefd = sizeof(struct in_addr) << 3;
743
744	return 0;
745}
746
747#ifdef INET6
748static void
749ipsec6_get_ulp(m, spidx, needport)
750	struct mbuf *m;
751	struct secpolicyindex *spidx;
752	int needport;
753{
754	int off, nxt;
755	struct tcphdr th;
756	struct udphdr uh;
757	struct icmp6_hdr ih;
758
759	/* sanity check */
760	if (m == NULL)
761		panic("%s: NULL pointer was passed.\n", __func__);
762
763	KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
764		printf("%s:\n", __func__); kdebug_mbuf(m));
765
766	/* set default */
767	spidx->ul_proto = IPSEC_ULPROTO_ANY;
768	((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
769	((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
770
771	nxt = -1;
772	off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
773	if (off < 0 || m->m_pkthdr.len < off)
774		return;
775
776	switch (nxt) {
777	case IPPROTO_TCP:
778		spidx->ul_proto = nxt;
779		if (!needport)
780			break;
781		if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
782			break;
783		m_copydata(m, off, sizeof(th), (caddr_t)&th);
784		((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
785		((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
786		break;
787	case IPPROTO_UDP:
788		spidx->ul_proto = nxt;
789		if (!needport)
790			break;
791		if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
792			break;
793		m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
794		((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
795		((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
796		break;
797	case IPPROTO_ICMPV6:
798		spidx->ul_proto = nxt;
799		if (off + sizeof(struct icmp6_hdr) > m->m_pkthdr.len)
800			break;
801		m_copydata(m, off, sizeof(ih), (caddr_t)&ih);
802		((struct sockaddr_in6 *)&spidx->src)->sin6_port =
803		    htons((uint16_t)ih.icmp6_type);
804		((struct sockaddr_in6 *)&spidx->dst)->sin6_port =
805		    htons((uint16_t)ih.icmp6_code);
806		break;
807	default:
808		/* XXX intermediate headers??? */
809		spidx->ul_proto = nxt;
810		break;
811	}
812}
813
814/* assumes that m is sane */
815static int
816ipsec6_setspidx_ipaddr(m, spidx)
817	struct mbuf *m;
818	struct secpolicyindex *spidx;
819{
820	struct ip6_hdr *ip6 = NULL;
821	struct ip6_hdr ip6buf;
822	struct sockaddr_in6 *sin6;
823
824	if (m->m_len >= sizeof(*ip6))
825		ip6 = mtod(m, struct ip6_hdr *);
826	else {
827		m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
828		ip6 = &ip6buf;
829	}
830
831	sin6 = (struct sockaddr_in6 *)&spidx->src;
832	bzero(sin6, sizeof(*sin6));
833	sin6->sin6_family = AF_INET6;
834	sin6->sin6_len = sizeof(struct sockaddr_in6);
835	bcopy(&ip6->ip6_src, &sin6->sin6_addr, sizeof(ip6->ip6_src));
836	if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
837		sin6->sin6_addr.s6_addr16[1] = 0;
838		sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
839	}
840	spidx->prefs = sizeof(struct in6_addr) << 3;
841
842	sin6 = (struct sockaddr_in6 *)&spidx->dst;
843	bzero(sin6, sizeof(*sin6));
844	sin6->sin6_family = AF_INET6;
845	sin6->sin6_len = sizeof(struct sockaddr_in6);
846	bcopy(&ip6->ip6_dst, &sin6->sin6_addr, sizeof(ip6->ip6_dst));
847	if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
848		sin6->sin6_addr.s6_addr16[1] = 0;
849		sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
850	}
851	spidx->prefd = sizeof(struct in6_addr) << 3;
852
853	return 0;
854}
855#endif
856
857static void
858ipsec_delpcbpolicy(p)
859	struct inpcbpolicy *p;
860{
861	free(p, M_IPSEC_INPCB);
862}
863
864/* initialize policy in PCB */
865int
866ipsec_init_policy(so, pcb_sp)
867	struct socket *so;
868	struct inpcbpolicy **pcb_sp;
869{
870	struct inpcbpolicy *new;
871
872	/* sanity check. */
873	if (so == NULL || pcb_sp == NULL)
874		panic("%s: NULL pointer was passed.\n", __func__);
875
876	new = (struct inpcbpolicy *) malloc(sizeof(struct inpcbpolicy),
877					    M_IPSEC_INPCB, M_NOWAIT|M_ZERO);
878	if (new == NULL) {
879		ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
880		return ENOBUFS;
881	}
882
883	new->priv = IPSEC_IS_PRIVILEGED_SO(so);
884
885	if ((new->sp_in = KEY_NEWSP()) == NULL) {
886		ipsec_delpcbpolicy(new);
887		return ENOBUFS;
888	}
889	new->sp_in->state = IPSEC_SPSTATE_ALIVE;
890	new->sp_in->policy = IPSEC_POLICY_ENTRUST;
891
892	if ((new->sp_out = KEY_NEWSP()) == NULL) {
893		KEY_FREESP(&new->sp_in);
894		ipsec_delpcbpolicy(new);
895		return ENOBUFS;
896	}
897	new->sp_out->state = IPSEC_SPSTATE_ALIVE;
898	new->sp_out->policy = IPSEC_POLICY_ENTRUST;
899
900	*pcb_sp = new;
901
902	return 0;
903}
904
905/* copy old ipsec policy into new */
906int
907ipsec_copy_policy(old, new)
908	struct inpcbpolicy *old, *new;
909{
910	struct secpolicy *sp;
911
912	sp = ipsec_deepcopy_policy(old->sp_in);
913	if (sp) {
914		KEY_FREESP(&new->sp_in);
915		new->sp_in = sp;
916	} else
917		return ENOBUFS;
918
919	sp = ipsec_deepcopy_policy(old->sp_out);
920	if (sp) {
921		KEY_FREESP(&new->sp_out);
922		new->sp_out = sp;
923	} else
924		return ENOBUFS;
925
926	new->priv = old->priv;
927
928	return 0;
929}
930
931struct ipsecrequest *
932ipsec_newisr(void)
933{
934	struct ipsecrequest *p;
935
936	p = malloc(sizeof(struct ipsecrequest), M_IPSEC_SR, M_NOWAIT|M_ZERO);
937	if (p != NULL)
938		IPSECREQUEST_LOCK_INIT(p);
939	return p;
940}
941
942void
943ipsec_delisr(struct ipsecrequest *p)
944{
945	IPSECREQUEST_LOCK_DESTROY(p);
946	free(p, M_IPSEC_SR);
947}
948
949/* deep-copy a policy in PCB */
950static struct secpolicy *
951ipsec_deepcopy_policy(src)
952	struct secpolicy *src;
953{
954	struct ipsecrequest *newchain = NULL;
955	struct ipsecrequest *p;
956	struct ipsecrequest **q;
957	struct ipsecrequest *r;
958	struct secpolicy *dst;
959
960	if (src == NULL)
961		return NULL;
962	dst = KEY_NEWSP();
963	if (dst == NULL)
964		return NULL;
965
966	/*
967	 * deep-copy IPsec request chain.  This is required since struct
968	 * ipsecrequest is not reference counted.
969	 */
970	q = &newchain;
971	for (p = src->req; p; p = p->next) {
972		*q = ipsec_newisr();
973		if (*q == NULL)
974			goto fail;
975		(*q)->saidx.proto = p->saidx.proto;
976		(*q)->saidx.mode = p->saidx.mode;
977		(*q)->level = p->level;
978		(*q)->saidx.reqid = p->saidx.reqid;
979
980		bcopy(&p->saidx.src, &(*q)->saidx.src, sizeof((*q)->saidx.src));
981		bcopy(&p->saidx.dst, &(*q)->saidx.dst, sizeof((*q)->saidx.dst));
982
983		(*q)->sp = dst;
984
985		q = &((*q)->next);
986	}
987
988	dst->req = newchain;
989	dst->state = src->state;
990	dst->policy = src->policy;
991	/* do not touch the refcnt fields */
992
993	return dst;
994
995fail:
996	for (p = newchain; p; p = r) {
997		r = p->next;
998		ipsec_delisr(p);
999		p = NULL;
1000	}
1001	return NULL;
1002}
1003
1004/* set policy and ipsec request if present. */
1005static int
1006ipsec_set_policy(pcb_sp, optname, request, len, cred)
1007	struct secpolicy **pcb_sp;
1008	int optname;
1009	caddr_t request;
1010	size_t len;
1011	struct ucred *cred;
1012{
1013	struct sadb_x_policy *xpl;
1014	struct secpolicy *newsp = NULL;
1015	int error;
1016
1017	/* sanity check. */
1018	if (pcb_sp == NULL || *pcb_sp == NULL || request == NULL)
1019		return EINVAL;
1020	if (len < sizeof(*xpl))
1021		return EINVAL;
1022	xpl = (struct sadb_x_policy *)request;
1023
1024	KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1025		printf("%s: passed policy\n", __func__);
1026		kdebug_sadb_x_policy((struct sadb_ext *)xpl));
1027
1028	/* check policy type */
1029	/* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1030	if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD
1031	 || xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
1032		return EINVAL;
1033
1034	/* check privileged socket */
1035	if (cred != NULL && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS) {
1036		error = priv_check_cred(cred, PRIV_NETINET_IPSEC, 0);
1037		if (error)
1038			return EACCES;
1039	}
1040
1041	/* allocation new SP entry */
1042	if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
1043		return error;
1044
1045	newsp->state = IPSEC_SPSTATE_ALIVE;
1046
1047	/* clear old SP and set new SP */
1048	KEY_FREESP(pcb_sp);
1049	*pcb_sp = newsp;
1050	KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1051		printf("%s: new policy\n", __func__);
1052		kdebug_secpolicy(newsp));
1053
1054	return 0;
1055}
1056
1057static int
1058ipsec_get_policy(pcb_sp, mp)
1059	struct secpolicy *pcb_sp;
1060	struct mbuf **mp;
1061{
1062
1063	/* sanity check. */
1064	if (pcb_sp == NULL || mp == NULL)
1065		return EINVAL;
1066
1067	*mp = key_sp2msg(pcb_sp);
1068	if (!*mp) {
1069		ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
1070		return ENOBUFS;
1071	}
1072
1073	(*mp)->m_type = MT_DATA;
1074	KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1075		printf("%s:\n", __func__); kdebug_mbuf(*mp));
1076
1077	return 0;
1078}
1079
1080int
1081ipsec4_set_policy(inp, optname, request, len, cred)
1082	struct inpcb *inp;
1083	int optname;
1084	caddr_t request;
1085	size_t len;
1086	struct ucred *cred;
1087{
1088	struct sadb_x_policy *xpl;
1089	struct secpolicy **pcb_sp;
1090
1091	/* sanity check. */
1092	if (inp == NULL || request == NULL)
1093		return EINVAL;
1094	if (len < sizeof(*xpl))
1095		return EINVAL;
1096	xpl = (struct sadb_x_policy *)request;
1097
1098	/* select direction */
1099	switch (xpl->sadb_x_policy_dir) {
1100	case IPSEC_DIR_INBOUND:
1101		pcb_sp = &inp->inp_sp->sp_in;
1102		break;
1103	case IPSEC_DIR_OUTBOUND:
1104		pcb_sp = &inp->inp_sp->sp_out;
1105		break;
1106	default:
1107		ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__,
1108			xpl->sadb_x_policy_dir));
1109		return EINVAL;
1110	}
1111
1112	return ipsec_set_policy(pcb_sp, optname, request, len, cred);
1113}
1114
1115int
1116ipsec4_get_policy(inp, request, len, mp)
1117	struct inpcb *inp;
1118	caddr_t request;
1119	size_t len;
1120	struct mbuf **mp;
1121{
1122	struct sadb_x_policy *xpl;
1123	struct secpolicy *pcb_sp;
1124
1125	/* sanity check. */
1126	if (inp == NULL || request == NULL || mp == NULL)
1127		return EINVAL;
1128	IPSEC_ASSERT(inp->inp_sp != NULL, ("null inp_sp"));
1129	if (len < sizeof(*xpl))
1130		return EINVAL;
1131	xpl = (struct sadb_x_policy *)request;
1132
1133	/* select direction */
1134	switch (xpl->sadb_x_policy_dir) {
1135	case IPSEC_DIR_INBOUND:
1136		pcb_sp = inp->inp_sp->sp_in;
1137		break;
1138	case IPSEC_DIR_OUTBOUND:
1139		pcb_sp = inp->inp_sp->sp_out;
1140		break;
1141	default:
1142		ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__,
1143			xpl->sadb_x_policy_dir));
1144		return EINVAL;
1145	}
1146
1147	return ipsec_get_policy(pcb_sp, mp);
1148}
1149
1150/* delete policy in PCB */
1151int
1152ipsec4_delete_pcbpolicy(inp)
1153	struct inpcb *inp;
1154{
1155	IPSEC_ASSERT(inp != NULL, ("null inp"));
1156
1157	if (inp->inp_sp == NULL)
1158		return 0;
1159
1160	if (inp->inp_sp->sp_in != NULL)
1161		KEY_FREESP(&inp->inp_sp->sp_in);
1162
1163	if (inp->inp_sp->sp_out != NULL)
1164		KEY_FREESP(&inp->inp_sp->sp_out);
1165
1166	ipsec_delpcbpolicy(inp->inp_sp);
1167	inp->inp_sp = NULL;
1168
1169	return 0;
1170}
1171
1172#ifdef INET6
1173int
1174ipsec6_set_policy(in6p, optname, request, len, cred)
1175	struct in6pcb *in6p;
1176	int optname;
1177	caddr_t request;
1178	size_t len;
1179	struct ucred *cred;
1180{
1181	struct sadb_x_policy *xpl;
1182	struct secpolicy **pcb_sp;
1183
1184	/* sanity check. */
1185	if (in6p == NULL || request == NULL)
1186		return EINVAL;
1187	if (len < sizeof(*xpl))
1188		return EINVAL;
1189	xpl = (struct sadb_x_policy *)request;
1190
1191	/* select direction */
1192	switch (xpl->sadb_x_policy_dir) {
1193	case IPSEC_DIR_INBOUND:
1194		pcb_sp = &in6p->in6p_sp->sp_in;
1195		break;
1196	case IPSEC_DIR_OUTBOUND:
1197		pcb_sp = &in6p->in6p_sp->sp_out;
1198		break;
1199	default:
1200		ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__,
1201			xpl->sadb_x_policy_dir));
1202		return EINVAL;
1203	}
1204
1205	return ipsec_set_policy(pcb_sp, optname, request, len, cred);
1206}
1207
1208int
1209ipsec6_get_policy(in6p, request, len, mp)
1210	struct in6pcb *in6p;
1211	caddr_t request;
1212	size_t len;
1213	struct mbuf **mp;
1214{
1215	struct sadb_x_policy *xpl;
1216	struct secpolicy *pcb_sp;
1217
1218	/* sanity check. */
1219	if (in6p == NULL || request == NULL || mp == NULL)
1220		return EINVAL;
1221	IPSEC_ASSERT(in6p->in6p_sp != NULL, ("null in6p_sp"));
1222	if (len < sizeof(*xpl))
1223		return EINVAL;
1224	xpl = (struct sadb_x_policy *)request;
1225
1226	/* select direction */
1227	switch (xpl->sadb_x_policy_dir) {
1228	case IPSEC_DIR_INBOUND:
1229		pcb_sp = in6p->in6p_sp->sp_in;
1230		break;
1231	case IPSEC_DIR_OUTBOUND:
1232		pcb_sp = in6p->in6p_sp->sp_out;
1233		break;
1234	default:
1235		ipseclog((LOG_ERR, "%s: invalid direction=%u\n", __func__,
1236			xpl->sadb_x_policy_dir));
1237		return EINVAL;
1238	}
1239
1240	return ipsec_get_policy(pcb_sp, mp);
1241}
1242
1243int
1244ipsec6_delete_pcbpolicy(in6p)
1245	struct in6pcb *in6p;
1246{
1247	IPSEC_ASSERT(in6p != NULL, ("null in6p"));
1248
1249	if (in6p->in6p_sp == NULL)
1250		return 0;
1251
1252	if (in6p->in6p_sp->sp_in != NULL)
1253		KEY_FREESP(&in6p->in6p_sp->sp_in);
1254
1255	if (in6p->in6p_sp->sp_out != NULL)
1256		KEY_FREESP(&in6p->in6p_sp->sp_out);
1257
1258	ipsec_delpcbpolicy(in6p->in6p_sp);
1259	in6p->in6p_sp = NULL;
1260
1261	return 0;
1262}
1263#endif
1264
1265/*
1266 * return current level.
1267 * Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1268 */
1269u_int
1270ipsec_get_reqlevel(isr)
1271	struct ipsecrequest *isr;
1272{
1273	u_int level = 0;
1274	u_int esp_trans_deflev, esp_net_deflev;
1275	u_int ah_trans_deflev, ah_net_deflev;
1276
1277	IPSEC_ASSERT(isr != NULL && isr->sp != NULL, ("null argument"));
1278	IPSEC_ASSERT(isr->sp->spidx.src.sa.sa_family == isr->sp->spidx.dst.sa.sa_family,
1279		("af family mismatch, src %u, dst %u",
1280		 isr->sp->spidx.src.sa.sa_family,
1281		 isr->sp->spidx.dst.sa.sa_family));
1282
1283/* XXX note that we have ipseclog() expanded here - code sync issue */
1284#define IPSEC_CHECK_DEFAULT(lev) \
1285	(((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE	      \
1286			&& (lev) != IPSEC_LEVEL_UNIQUE)			      \
1287		? (ipsec_debug						      \
1288			? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\
1289				(lev), IPSEC_LEVEL_REQUIRE)		      \
1290			: 0),						      \
1291			(lev) = IPSEC_LEVEL_REQUIRE,			      \
1292			(lev)						      \
1293		: (lev))
1294
1295	/* set default level */
1296	switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) {
1297#ifdef INET
1298	case AF_INET:
1299		esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev);
1300		esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev);
1301		ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev);
1302		ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev);
1303		break;
1304#endif
1305#ifdef INET6
1306	case AF_INET6:
1307		esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev);
1308		esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev);
1309		ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev);
1310		ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev);
1311		break;
1312#endif /* INET6 */
1313	default:
1314		panic("%s: unknown af %u",
1315			__func__, isr->sp->spidx.src.sa.sa_family);
1316	}
1317
1318#undef IPSEC_CHECK_DEFAULT
1319
1320	/* set level */
1321	switch (isr->level) {
1322	case IPSEC_LEVEL_DEFAULT:
1323		switch (isr->saidx.proto) {
1324		case IPPROTO_ESP:
1325			if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1326				level = esp_net_deflev;
1327			else
1328				level = esp_trans_deflev;
1329			break;
1330		case IPPROTO_AH:
1331			if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1332				level = ah_net_deflev;
1333			else
1334				level = ah_trans_deflev;
1335			break;
1336		case IPPROTO_IPCOMP:
1337			/*
1338			 * we don't really care, as IPcomp document says that
1339			 * we shouldn't compress small packets
1340			 */
1341			level = IPSEC_LEVEL_USE;
1342			break;
1343		default:
1344			panic("%s: Illegal protocol defined %u\n", __func__,
1345				isr->saidx.proto);
1346		}
1347		break;
1348
1349	case IPSEC_LEVEL_USE:
1350	case IPSEC_LEVEL_REQUIRE:
1351		level = isr->level;
1352		break;
1353	case IPSEC_LEVEL_UNIQUE:
1354		level = IPSEC_LEVEL_REQUIRE;
1355		break;
1356
1357	default:
1358		panic("%s: Illegal IPsec level %u\n", __func__, isr->level);
1359	}
1360
1361	return level;
1362}
1363
1364/*
1365 * Check security policy requirements against the actual
1366 * packet contents.  Return one if the packet should be
1367 * reject as "invalid"; otherwiser return zero to have the
1368 * packet treated as "valid".
1369 *
1370 * OUT:
1371 *	0: valid
1372 *	1: invalid
1373 */
1374int
1375ipsec_in_reject(struct secpolicy *sp, struct mbuf *m)
1376{
1377	struct ipsecrequest *isr;
1378	int need_auth;
1379
1380	KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1381		printf("%s: using SP\n", __func__); kdebug_secpolicy(sp));
1382
1383	/* check policy */
1384	switch (sp->policy) {
1385	case IPSEC_POLICY_DISCARD:
1386		return 1;
1387	case IPSEC_POLICY_BYPASS:
1388	case IPSEC_POLICY_NONE:
1389		return 0;
1390	}
1391
1392	IPSEC_ASSERT(sp->policy == IPSEC_POLICY_IPSEC,
1393		("invalid policy %u", sp->policy));
1394
1395	/* XXX should compare policy against ipsec header history */
1396
1397	need_auth = 0;
1398	for (isr = sp->req; isr != NULL; isr = isr->next) {
1399		if (ipsec_get_reqlevel(isr) != IPSEC_LEVEL_REQUIRE)
1400			continue;
1401		switch (isr->saidx.proto) {
1402		case IPPROTO_ESP:
1403			if ((m->m_flags & M_DECRYPTED) == 0) {
1404				KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1405				    printf("%s: ESP m_flags:%x\n", __func__,
1406					    m->m_flags));
1407				return 1;
1408			}
1409
1410			if (!need_auth &&
1411			    isr->sav != NULL &&
1412			    isr->sav->tdb_authalgxform != NULL &&
1413			    (m->m_flags & M_AUTHIPDGM) == 0) {
1414				KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1415				    printf("%s: ESP/AH m_flags:%x\n", __func__,
1416					    m->m_flags));
1417				return 1;
1418			}
1419			break;
1420		case IPPROTO_AH:
1421			need_auth = 1;
1422			if ((m->m_flags & M_AUTHIPHDR) == 0) {
1423				KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1424				    printf("%s: AH m_flags:%x\n", __func__,
1425					    m->m_flags));
1426				return 1;
1427			}
1428			break;
1429		case IPPROTO_IPCOMP:
1430			/*
1431			 * we don't really care, as IPcomp document
1432			 * says that we shouldn't compress small
1433			 * packets, IPComp policy should always be
1434			 * treated as being in "use" level.
1435			 */
1436			break;
1437		}
1438	}
1439	return 0;		/* valid */
1440}
1441
1442/*
1443 * Check AH/ESP integrity.
1444 * This function is called from tcp_input(), udp_input(),
1445 * and {ah,esp}4_input for tunnel mode
1446 */
1447int
1448ipsec4_in_reject(m, inp)
1449	struct mbuf *m;
1450	struct inpcb *inp;
1451{
1452	struct secpolicy *sp;
1453	int error;
1454	int result;
1455
1456	IPSEC_ASSERT(m != NULL, ("null mbuf"));
1457
1458	/* get SP for this packet.
1459	 * When we are called from ip_forward(), we call
1460	 * ipsec_getpolicybyaddr() with IP_FORWARDING flag.
1461	 */
1462	if (inp == NULL)
1463		sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1464	else
1465		sp = ipsec_getpolicybysock(m, IPSEC_DIR_INBOUND, inp, &error);
1466
1467	if (sp != NULL) {
1468		result = ipsec_in_reject(sp, m);
1469		if (result)
1470			ipsec4stat.ips_in_polvio++;
1471		KEY_FREESP(&sp);
1472	} else {
1473		result = 0;	/* XXX should be panic ?
1474				 * -> No, there may be error. */
1475	}
1476	return result;
1477}
1478
1479#ifdef INET6
1480/*
1481 * Check AH/ESP integrity.
1482 * This function is called from tcp6_input(), udp6_input(),
1483 * and {ah,esp}6_input for tunnel mode
1484 */
1485int
1486ipsec6_in_reject(m, inp)
1487	struct mbuf *m;
1488	struct inpcb *inp;
1489{
1490	struct secpolicy *sp = NULL;
1491	int error;
1492	int result;
1493
1494	/* sanity check */
1495	if (m == NULL)
1496		return 0;	/* XXX should be panic ? */
1497
1498	/* get SP for this packet.
1499	 * When we are called from ip_forward(), we call
1500	 * ipsec_getpolicybyaddr() with IP_FORWARDING flag.
1501	 */
1502	if (inp == NULL)
1503		sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1504	else
1505		sp = ipsec_getpolicybysock(m, IPSEC_DIR_INBOUND, inp, &error);
1506
1507	if (sp != NULL) {
1508		result = ipsec_in_reject(sp, m);
1509		if (result)
1510			ipsec6stat.ips_in_polvio++;
1511		KEY_FREESP(&sp);
1512	} else {
1513		result = 0;
1514	}
1515	return result;
1516}
1517#endif
1518
1519/*
1520 * compute the byte size to be occupied by IPsec header.
1521 * in case it is tunneled, it includes the size of outer IP header.
1522 * NOTE: SP passed is free in this function.
1523 */
1524static size_t
1525ipsec_hdrsiz(struct secpolicy *sp)
1526{
1527	struct ipsecrequest *isr;
1528	size_t siz;
1529
1530	KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1531		printf("%s: using SP\n", __func__); kdebug_secpolicy(sp));
1532
1533	switch (sp->policy) {
1534	case IPSEC_POLICY_DISCARD:
1535	case IPSEC_POLICY_BYPASS:
1536	case IPSEC_POLICY_NONE:
1537		return 0;
1538	}
1539
1540	IPSEC_ASSERT(sp->policy == IPSEC_POLICY_IPSEC,
1541		("invalid policy %u", sp->policy));
1542
1543	siz = 0;
1544	for (isr = sp->req; isr != NULL; isr = isr->next) {
1545		size_t clen = 0;
1546
1547		switch (isr->saidx.proto) {
1548		case IPPROTO_ESP:
1549			clen = esp_hdrsiz(isr->sav);
1550			break;
1551		case IPPROTO_AH:
1552			clen = ah_hdrsiz(isr->sav);
1553			break;
1554		case IPPROTO_IPCOMP:
1555			clen = sizeof(struct ipcomp);
1556			break;
1557		}
1558
1559		if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
1560			switch (isr->saidx.dst.sa.sa_family) {
1561			case AF_INET:
1562				clen += sizeof(struct ip);
1563				break;
1564#ifdef INET6
1565			case AF_INET6:
1566				clen += sizeof(struct ip6_hdr);
1567				break;
1568#endif
1569			default:
1570				ipseclog((LOG_ERR, "%s: unknown AF %d in "
1571				    "IPsec tunnel SA\n", __func__,
1572				    ((struct sockaddr *)&isr->saidx.dst)->sa_family));
1573				break;
1574			}
1575		}
1576		siz += clen;
1577	}
1578
1579	return siz;
1580}
1581
1582/* This function is called from ip_forward() and ipsec4_hdrsize_tcp(). */
1583size_t
1584ipsec4_hdrsiz(m, dir, inp)
1585	struct mbuf *m;
1586	u_int dir;
1587	struct inpcb *inp;
1588{
1589	struct secpolicy *sp;
1590	int error;
1591	size_t size;
1592
1593	IPSEC_ASSERT(m != NULL, ("null mbuf"));
1594
1595	/* get SP for this packet.
1596	 * When we are called from ip_forward(), we call
1597	 * ipsec_getpolicybyaddr() with IP_FORWARDING flag.
1598	 */
1599	if (inp == NULL)
1600		sp = ipsec_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1601	else
1602		sp = ipsec_getpolicybysock(m, dir, inp, &error);
1603
1604	if (sp != NULL) {
1605		size = ipsec_hdrsiz(sp);
1606		KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1607			printf("%s: size:%lu.\n", __func__,
1608				(unsigned long)size));
1609
1610		KEY_FREESP(&sp);
1611	} else {
1612		size = 0;	/* XXX should be panic ?
1613				 * -> No, we are called w/o knowing if
1614				 *    IPsec processing is needed. */
1615	}
1616	return size;
1617}
1618
1619#ifdef INET6
1620/* This function is called from ipsec6_hdrsize_tcp(),
1621 * and maybe from ip6_forward.()
1622 */
1623size_t
1624ipsec6_hdrsiz(m, dir, in6p)
1625	struct mbuf *m;
1626	u_int dir;
1627	struct in6pcb *in6p;
1628{
1629	struct secpolicy *sp;
1630	int error;
1631	size_t size;
1632
1633	IPSEC_ASSERT(m != NULL, ("null mbuf"));
1634	IPSEC_ASSERT(in6p == NULL || in6p->in6p_socket != NULL,
1635		("socket w/o inpcb"));
1636
1637	/* get SP for this packet */
1638	/* XXX Is it right to call with IP_FORWARDING. */
1639	if (in6p == NULL)
1640		sp = ipsec_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1641	else
1642		sp = ipsec_getpolicybysock(m, dir, in6p, &error);
1643
1644	if (sp == NULL)
1645		return 0;
1646	size = ipsec_hdrsiz(sp);
1647	KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1648		printf("%s: size:%lu.\n", __func__, (unsigned long)size));
1649	KEY_FREESP(&sp);
1650
1651	return size;
1652}
1653#endif /*INET6*/
1654
1655/*
1656 * Check the variable replay window.
1657 * ipsec_chkreplay() performs replay check before ICV verification.
1658 * ipsec_updatereplay() updates replay bitmap.  This must be called after
1659 * ICV verification (it also performs replay check, which is usually done
1660 * beforehand).
1661 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
1662 *
1663 * based on RFC 2401.
1664 */
1665int
1666ipsec_chkreplay(seq, sav)
1667	u_int32_t seq;
1668	struct secasvar *sav;
1669{
1670	const struct secreplay *replay;
1671	u_int32_t diff;
1672	int fr;
1673	u_int32_t wsizeb;	/* constant: bits of window size */
1674	int frlast;		/* constant: last frame */
1675
1676	IPSEC_ASSERT(sav != NULL, ("Null SA"));
1677	IPSEC_ASSERT(sav->replay != NULL, ("Null replay state"));
1678
1679	replay = sav->replay;
1680
1681	if (replay->wsize == 0)
1682		return 1;	/* no need to check replay. */
1683
1684	/* constant */
1685	frlast = replay->wsize - 1;
1686	wsizeb = replay->wsize << 3;
1687
1688	/* sequence number of 0 is invalid */
1689	if (seq == 0)
1690		return 0;
1691
1692	/* first time is always okay */
1693	if (replay->count == 0)
1694		return 1;
1695
1696	if (seq > replay->lastseq) {
1697		/* larger sequences are okay */
1698		return 1;
1699	} else {
1700		/* seq is equal or less than lastseq. */
1701		diff = replay->lastseq - seq;
1702
1703		/* over range to check, i.e. too old or wrapped */
1704		if (diff >= wsizeb)
1705			return 0;
1706
1707		fr = frlast - diff / 8;
1708
1709		/* this packet already seen ? */
1710		if ((replay->bitmap)[fr] & (1 << (diff % 8)))
1711			return 0;
1712
1713		/* out of order but good */
1714		return 1;
1715	}
1716}
1717
1718/*
1719 * check replay counter whether to update or not.
1720 * OUT:	0:	OK
1721 *	1:	NG
1722 */
1723int
1724ipsec_updatereplay(seq, sav)
1725	u_int32_t seq;
1726	struct secasvar *sav;
1727{
1728	struct secreplay *replay;
1729	u_int32_t diff;
1730	int fr;
1731	u_int32_t wsizeb;	/* constant: bits of window size */
1732	int frlast;		/* constant: last frame */
1733
1734	IPSEC_ASSERT(sav != NULL, ("Null SA"));
1735	IPSEC_ASSERT(sav->replay != NULL, ("Null replay state"));
1736
1737	replay = sav->replay;
1738
1739	if (replay->wsize == 0)
1740		goto ok;	/* no need to check replay. */
1741
1742	/* constant */
1743	frlast = replay->wsize - 1;
1744	wsizeb = replay->wsize << 3;
1745
1746	/* sequence number of 0 is invalid */
1747	if (seq == 0)
1748		return 1;
1749
1750	/* first time */
1751	if (replay->count == 0) {
1752		replay->lastseq = seq;
1753		bzero(replay->bitmap, replay->wsize);
1754		(replay->bitmap)[frlast] = 1;
1755		goto ok;
1756	}
1757
1758	if (seq > replay->lastseq) {
1759		/* seq is larger than lastseq. */
1760		diff = seq - replay->lastseq;
1761
1762		/* new larger sequence number */
1763		if (diff < wsizeb) {
1764			/* In window */
1765			/* set bit for this packet */
1766			vshiftl(replay->bitmap, diff, replay->wsize);
1767			(replay->bitmap)[frlast] |= 1;
1768		} else {
1769			/* this packet has a "way larger" */
1770			bzero(replay->bitmap, replay->wsize);
1771			(replay->bitmap)[frlast] = 1;
1772		}
1773		replay->lastseq = seq;
1774
1775		/* larger is good */
1776	} else {
1777		/* seq is equal or less than lastseq. */
1778		diff = replay->lastseq - seq;
1779
1780		/* over range to check, i.e. too old or wrapped */
1781		if (diff >= wsizeb)
1782			return 1;
1783
1784		fr = frlast - diff / 8;
1785
1786		/* this packet already seen ? */
1787		if ((replay->bitmap)[fr] & (1 << (diff % 8)))
1788			return 1;
1789
1790		/* mark as seen */
1791		(replay->bitmap)[fr] |= (1 << (diff % 8));
1792
1793		/* out of order but good */
1794	}
1795
1796ok:
1797	if (replay->count == ~0) {
1798
1799		/* set overflow flag */
1800		replay->overflow++;
1801
1802		/* don't increment, no more packets accepted */
1803		if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
1804			return 1;
1805
1806		ipseclog((LOG_WARNING, "%s: replay counter made %d cycle. %s\n",
1807		    __func__, replay->overflow, ipsec_logsastr(sav)));
1808	}
1809
1810	replay->count++;
1811
1812	return 0;
1813}
1814
1815/*
1816 * shift variable length buffer to left.
1817 * IN:	bitmap: pointer to the buffer
1818 * 	nbit:	the number of to shift.
1819 *	wsize:	buffer size (bytes).
1820 */
1821static void
1822vshiftl(bitmap, nbit, wsize)
1823	unsigned char *bitmap;
1824	int nbit, wsize;
1825{
1826	int s, j, i;
1827	unsigned char over;
1828
1829	for (j = 0; j < nbit; j += 8) {
1830		s = (nbit - j < 8) ? (nbit - j): 8;
1831		bitmap[0] <<= s;
1832		for (i = 1; i < wsize; i++) {
1833			over = (bitmap[i] >> (8 - s));
1834			bitmap[i] <<= s;
1835			bitmap[i-1] |= over;
1836		}
1837	}
1838
1839	return;
1840}
1841
1842/* Return a printable string for the IPv4 address. */
1843static char *
1844inet_ntoa4(struct in_addr ina)
1845{
1846	static char buf[4][4 * sizeof "123" + 4];
1847	unsigned char *ucp = (unsigned char *) &ina;
1848	static int i = 3;
1849
1850	/* XXX-BZ returns static buffer. */
1851	i = (i + 1) % 4;
1852	sprintf(buf[i], "%d.%d.%d.%d", ucp[0] & 0xff, ucp[1] & 0xff,
1853	    ucp[2] & 0xff, ucp[3] & 0xff);
1854	return (buf[i]);
1855}
1856
1857/* Return a printable string for the address. */
1858char *
1859ipsec_address(union sockaddr_union* sa)
1860{
1861#ifdef INET6
1862	char ip6buf[INET6_ADDRSTRLEN];
1863#endif
1864	switch (sa->sa.sa_family) {
1865#ifdef INET
1866	case AF_INET:
1867		return inet_ntoa4(sa->sin.sin_addr);
1868#endif /* INET */
1869
1870#ifdef INET6
1871	case AF_INET6:
1872		return ip6_sprintf(ip6buf, &sa->sin6.sin6_addr);
1873#endif /* INET6 */
1874
1875	default:
1876		return "(unknown address family)";
1877	}
1878}
1879
1880const char *
1881ipsec_logsastr(sav)
1882	struct secasvar *sav;
1883{
1884	static char buf[256];
1885	char *p;
1886	struct secasindex *saidx = &sav->sah->saidx;
1887
1888	IPSEC_ASSERT(saidx->src.sa.sa_family == saidx->dst.sa.sa_family,
1889		("address family mismatch"));
1890
1891	p = buf;
1892	snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
1893	while (p && *p)
1894		p++;
1895	/* NB: only use ipsec_address on one address at a time */
1896	snprintf(p, sizeof (buf) - (p - buf), "src=%s ",
1897		ipsec_address(&saidx->src));
1898	while (p && *p)
1899		p++;
1900	snprintf(p, sizeof (buf) - (p - buf), "dst=%s)",
1901		ipsec_address(&saidx->dst));
1902
1903	return buf;
1904}
1905
1906void
1907ipsec_dumpmbuf(m)
1908	struct mbuf *m;
1909{
1910	int totlen;
1911	int i;
1912	u_char *p;
1913
1914	totlen = 0;
1915	printf("---\n");
1916	while (m) {
1917		p = mtod(m, u_char *);
1918		for (i = 0; i < m->m_len; i++) {
1919			printf("%02x ", p[i]);
1920			totlen++;
1921			if (totlen % 16 == 0)
1922				printf("\n");
1923		}
1924		m = m->m_next;
1925	}
1926	if (totlen % 16 != 0)
1927		printf("\n");
1928	printf("---\n");
1929}
1930
1931static void
1932ipsec_attach(void)
1933{
1934	SECPOLICY_LOCK_INIT(&ip4_def_policy);
1935	ip4_def_policy.refcnt = 1;			/* NB: disallow free */
1936}
1937SYSINIT(ipsec, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, ipsec_attach, NULL);
1938
1939
1940/* XXX this stuff doesn't belong here... */
1941
1942static	struct xformsw* xforms = NULL;
1943
1944/*
1945 * Register a transform; typically at system startup.
1946 */
1947void
1948xform_register(struct xformsw* xsp)
1949{
1950	xsp->xf_next = xforms;
1951	xforms = xsp;
1952}
1953
1954/*
1955 * Initialize transform support in an sav.
1956 */
1957int
1958xform_init(struct secasvar *sav, int xftype)
1959{
1960	struct xformsw *xsp;
1961
1962	if (sav->tdb_xform != NULL)	/* previously initialized */
1963		return 0;
1964	for (xsp = xforms; xsp; xsp = xsp->xf_next)
1965		if (xsp->xf_type == xftype)
1966			return (*xsp->xf_init)(sav, xsp);
1967	return EINVAL;
1968}
1969