1 /* $NetBSD: ipsec.c,v 1.178 2023/01/27 09:33:43 ozaki-r Exp $ */
2 /* $FreeBSD: ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
3 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include <sys/cdefs.h>
35 __KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.178 2023/01/27 09:33:43 ozaki-r Exp $");
36
37 /*
38 * IPsec controller part.
39 */
40
41 #if defined(_KERNEL_OPT)
42 #include "opt_inet.h"
43 #include "opt_ipsec.h"
44 #endif
45
46 #include <sys/param.h>
47 #include <sys/systm.h>
48 #include <sys/mbuf.h>
49 #include <sys/domain.h>
50 #include <sys/protosw.h>
51 #include <sys/socket.h>
52 #include <sys/socketvar.h>
53 #include <sys/errno.h>
54 #include <sys/time.h>
55 #include <sys/kernel.h>
56 #include <sys/syslog.h>
57 #include <sys/sysctl.h>
58 #include <sys/proc.h>
59 #include <sys/kauth.h>
60 #include <sys/cpu.h>
61 #include <sys/kmem.h>
62 #include <sys/pserialize.h>
63
64 #include <net/if.h>
65 #include <net/route.h>
66
67 #include <netinet/in.h>
68 #include <netinet/in_systm.h>
69 #include <netinet/ip.h>
70 #include <netinet/ip_var.h>
71 #include <netinet/in_var.h>
72 #include <netinet/udp.h>
73 #include <netinet/udp_var.h>
74 #include <netinet/tcp.h>
75 #include <netinet/udp.h>
76 #include <netinet/ip_icmp.h>
77 #include <netinet/ip_private.h>
78
79 #include <netinet/ip6.h>
80 #ifdef INET6
81 #include <netinet6/ip6_var.h>
82 #endif
83 #include <netinet/in_pcb.h>
84 #include <netinet/in_offload.h>
85 #ifdef INET6
86 #include <netinet6/in6_pcb.h>
87 #include <netinet/icmp6.h>
88 #endif
89
90 #include <netipsec/ipsec.h>
91 #include <netipsec/ipsec_var.h>
92 #include <netipsec/ipsec_private.h>
93 #ifdef INET6
94 #include <netipsec/ipsec6.h>
95 #endif
96 #include <netipsec/ah_var.h>
97 #include <netipsec/esp_var.h>
98 #include <netipsec/ipcomp.h> /*XXX*/
99 #include <netipsec/ipcomp_var.h>
100
101 #include <netipsec/key.h>
102 #include <netipsec/keydb.h>
103 #include <netipsec/key_debug.h>
104
105 #include <netipsec/xform.h>
106
107 int ipsec_used = 0;
108 int ipsec_enabled = 1;
109
110 #ifdef IPSEC_DEBUG
111 int ipsec_debug = 1;
112
113 /*
114 * When set to 1, IPsec will send packets with the same sequence number.
115 * This allows to verify if the other side has proper replay attacks detection.
116 */
117 int ipsec_replay = 0;
118
119 /*
120 * When set 1, IPsec will send packets with corrupted HMAC.
121 * This allows to verify if the other side properly detects modified packets.
122 */
123 int ipsec_integrity = 0;
124 #else
125 int ipsec_debug = 0;
126 #endif
127
128 percpu_t *ipsecstat_percpu;
129
130 int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
131 int ip4_ipsec_dfbit = 2; /* DF bit on encap. 0: clear 1: set 2: copy */
132 int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
133 int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
134 int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
135 int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
136 struct secpolicy ip4_def_policy;
137 int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
138
139 u_int ipsec_spdgen = 1; /* SPD generation # */
140
141 static struct secpolicy ipsec_dummy_sp __read_mostly = {
142 .state = IPSEC_SPSTATE_ALIVE,
143 /* If ENTRUST, the dummy SP never be used. See ipsec_getpolicybysock. */
144 .policy = IPSEC_POLICY_ENTRUST,
145 };
146
147 static struct secpolicy *ipsec_checkpcbcache(struct mbuf *,
148 struct inpcbpolicy *, int);
149 static int ipsec_fillpcbcache(struct inpcbpolicy *, struct mbuf *,
150 struct secpolicy *, int);
151 static int ipsec_invalpcbcache(struct inpcbpolicy *, int);
152
153 /*
154 * Crypto support requirements:
155 *
156 * 1 require hardware support
157 * -1 require software support
158 * 0 take anything
159 */
160 int crypto_support = 0;
161
162 static struct secpolicy *ipsec_getpolicybysock(struct mbuf *, u_int,
163 struct inpcb *, int *);
164
165 #ifdef INET6
166 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
167 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
168 int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
169 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
170 struct secpolicy ip6_def_policy;
171 int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
172 #endif
173
174 static int ipsec_setspidx_inpcb(struct mbuf *, struct inpcb *);
175 static int ipsec_setspidx(struct mbuf *, struct secpolicyindex *, int, int);
176 static void ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *, int);
177 static int ipsec4_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *);
178 #ifdef INET6
179 static void ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *, int);
180 static int ipsec6_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *);
181 #endif
182 static void ipsec_delpcbpolicy(struct inpcbpolicy *);
183 static void ipsec_destroy_policy(struct secpolicy *);
184 static int ipsec_sp_reject(const struct secpolicy *, const struct mbuf *);
185 static void vshiftl(unsigned char *, int, int);
186 static size_t ipsec_sp_hdrsiz(const struct secpolicy *, const struct mbuf *);
187
188 /*
189 * Try to validate and use cached policy on a PCB.
190 */
191 static struct secpolicy *
ipsec_checkpcbcache(struct mbuf * m,struct inpcbpolicy * pcbsp,int dir)192 ipsec_checkpcbcache(struct mbuf *m, struct inpcbpolicy *pcbsp, int dir)
193 {
194 struct secpolicyindex spidx;
195 struct secpolicy *sp = NULL;
196 int s;
197
198 KASSERT(IPSEC_DIR_IS_VALID(dir));
199 KASSERT(pcbsp != NULL);
200 KASSERT(dir < __arraycount(pcbsp->sp_cache));
201 KASSERT(inp_locked(pcbsp->sp_inp));
202
203 /*
204 * Checking the generation and sp->state and taking a reference to an SP
205 * must be in a critical section of pserialize. See key_unlink_sp.
206 */
207 s = pserialize_read_enter();
208 /* SPD table change invalidate all the caches. */
209 if (ipsec_spdgen != pcbsp->sp_cache[dir].cachegen) {
210 ipsec_invalpcbcache(pcbsp, dir);
211 goto out;
212 }
213 sp = pcbsp->sp_cache[dir].cachesp;
214 if (sp == NULL)
215 goto out;
216 if (sp->state != IPSEC_SPSTATE_ALIVE) {
217 sp = NULL;
218 ipsec_invalpcbcache(pcbsp, dir);
219 goto out;
220 }
221 if ((pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) == 0) {
222 /* NB: assume ipsec_setspidx never sleep */
223 if (ipsec_setspidx(m, &spidx, dir, 1) != 0) {
224 sp = NULL;
225 goto out;
226 }
227
228 /*
229 * We have to make an exact match here since the cached rule
230 * might have lower priority than a rule that would otherwise
231 * have matched the packet.
232 */
233 if (memcmp(&pcbsp->sp_cache[dir].cacheidx, &spidx,
234 sizeof(spidx))) {
235 sp = NULL;
236 goto out;
237 }
238 } else {
239 /*
240 * The pcb is connected, and the L4 code is sure that:
241 * - outgoing side uses inp_[lf]addr
242 * - incoming side looks up policy after inpcb lookup
243 * and address pair is know to be stable. We do not need
244 * to generate spidx again, nor check the address match again.
245 *
246 * For IPv4/v6 SOCK_STREAM sockets, this assumptions holds
247 * and there are calls to ipsec_pcbconn() from inpcb_connect().
248 */
249 }
250
251 key_sp_touch(sp);
252 KEY_SP_REF(sp);
253 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
254 "DP cause refcnt++:%d SP:%p\n",
255 key_sp_refcnt(sp), pcbsp->sp_cache[dir].cachesp);
256 out:
257 pserialize_read_exit(s);
258 return sp;
259 }
260
261 static int
ipsec_fillpcbcache(struct inpcbpolicy * pcbsp,struct mbuf * m,struct secpolicy * sp,int dir)262 ipsec_fillpcbcache(struct inpcbpolicy *pcbsp, struct mbuf *m,
263 struct secpolicy *sp, int dir)
264 {
265
266 KASSERT(IPSEC_DIR_IS_INOROUT(dir));
267 KASSERT(dir < __arraycount(pcbsp->sp_cache));
268 KASSERT(inp_locked(pcbsp->sp_inp));
269
270 pcbsp->sp_cache[dir].cachesp = NULL;
271 pcbsp->sp_cache[dir].cachehint = IPSEC_PCBHINT_UNKNOWN;
272 if (ipsec_setspidx(m, &pcbsp->sp_cache[dir].cacheidx, dir, 1) != 0) {
273 return EINVAL;
274 }
275 pcbsp->sp_cache[dir].cachesp = sp;
276 if (pcbsp->sp_cache[dir].cachesp) {
277 /*
278 * If the PCB is connected, we can remember a hint to
279 * possibly short-circuit IPsec processing in other places.
280 */
281 if (pcbsp->sp_cacheflags & IPSEC_PCBSP_CONNECTED) {
282 switch (pcbsp->sp_cache[dir].cachesp->policy) {
283 case IPSEC_POLICY_NONE:
284 case IPSEC_POLICY_BYPASS:
285 pcbsp->sp_cache[dir].cachehint =
286 IPSEC_PCBHINT_NO;
287 break;
288 default:
289 pcbsp->sp_cache[dir].cachehint =
290 IPSEC_PCBHINT_YES;
291 }
292 }
293 }
294 pcbsp->sp_cache[dir].cachegen = ipsec_spdgen;
295
296 return 0;
297 }
298
299 static int
ipsec_invalpcbcache(struct inpcbpolicy * pcbsp,int dir)300 ipsec_invalpcbcache(struct inpcbpolicy *pcbsp, int dir)
301 {
302 int i;
303
304 KASSERT(inp_locked(pcbsp->sp_inp));
305
306 for (i = IPSEC_DIR_INBOUND; i <= IPSEC_DIR_OUTBOUND; i++) {
307 if (dir != IPSEC_DIR_ANY && i != dir)
308 continue;
309 pcbsp->sp_cache[i].cachesp = NULL;
310 pcbsp->sp_cache[i].cachehint = IPSEC_PCBHINT_UNKNOWN;
311 pcbsp->sp_cache[i].cachegen = 0;
312 memset(&pcbsp->sp_cache[i].cacheidx, 0,
313 sizeof(pcbsp->sp_cache[i].cacheidx));
314 }
315 return 0;
316 }
317
318 void
ipsec_pcbconn(struct inpcbpolicy * pcbsp)319 ipsec_pcbconn(struct inpcbpolicy *pcbsp)
320 {
321
322 KASSERT(inp_locked(pcbsp->sp_inp));
323
324 pcbsp->sp_cacheflags |= IPSEC_PCBSP_CONNECTED;
325 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
326 }
327
328 void
ipsec_pcbdisconn(struct inpcbpolicy * pcbsp)329 ipsec_pcbdisconn(struct inpcbpolicy *pcbsp)
330 {
331
332 KASSERT(inp_locked(pcbsp->sp_inp));
333
334 pcbsp->sp_cacheflags &= ~IPSEC_PCBSP_CONNECTED;
335 ipsec_invalpcbcache(pcbsp, IPSEC_DIR_ANY);
336 }
337
338 void
ipsec_invalpcbcacheall(void)339 ipsec_invalpcbcacheall(void)
340 {
341
342 if (ipsec_spdgen == UINT_MAX)
343 ipsec_spdgen = 1;
344 else
345 ipsec_spdgen++;
346 }
347
348 /*
349 * Return a held reference to the default SP.
350 */
351 static struct secpolicy *
key_get_default_sp(int af,const char * where,int tag)352 key_get_default_sp(int af, const char *where, int tag)
353 {
354 struct secpolicy *sp;
355
356 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP from %s:%u\n", where, tag);
357
358 switch(af) {
359 case AF_INET:
360 sp = &ip4_def_policy;
361 break;
362 #ifdef INET6
363 case AF_INET6:
364 sp = &ip6_def_policy;
365 break;
366 #endif
367 default:
368 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
369 "unexpected protocol family %u\n", af);
370 return NULL;
371 }
372
373 if (sp->policy != IPSEC_POLICY_DISCARD &&
374 sp->policy != IPSEC_POLICY_NONE) {
375 IPSECLOG(LOG_INFO, "fixed system default policy: %d->%d\n",
376 sp->policy, IPSEC_POLICY_NONE);
377 sp->policy = IPSEC_POLICY_NONE;
378 }
379 KEY_SP_REF(sp);
380
381 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP returns SP:%p (%u)\n",
382 sp, key_sp_refcnt(sp));
383 return sp;
384 }
385
386 #define KEY_GET_DEFAULT_SP(af) \
387 key_get_default_sp((af), __func__, __LINE__)
388
389 /*
390 * For OUTBOUND packet having a socket. Searching SPD for packet,
391 * and return a pointer to SP.
392 * OUT: NULL: no appropriate SP found, the following value is set to error.
393 * 0 : bypass
394 * EACCES : discard packet.
395 * ENOENT : ipsec_acquire() in progress, maybe.
396 * others : error occurred.
397 * others: a pointer to SP
398 *
399 * NOTE: IPv6 mapped address concern is implemented here.
400 */
401 static struct secpolicy *
ipsec_getpolicybysock(struct mbuf * m,u_int dir,struct inpcb * inp,int * error)402 ipsec_getpolicybysock(struct mbuf *m, u_int dir, struct inpcb *inp,
403 int *error)
404 {
405 struct inpcbpolicy *pcbsp = NULL;
406 struct secpolicy *currsp = NULL; /* policy on socket */
407 struct secpolicy *sp;
408 int af;
409
410 KASSERT(m != NULL);
411 KASSERT(inp != NULL);
412 KASSERT(error != NULL);
413 KASSERTMSG(IPSEC_DIR_IS_INOROUT(dir), "invalid direction %u", dir);
414
415 KASSERT(inp->inp_socket != NULL);
416 KASSERT(inp_locked(inp));
417
418 /* XXX FIXME inpcb vs socket*/
419 af = inp->inp_af;
420 KASSERTMSG(af == AF_INET || af == AF_INET6,
421 "unexpected protocol family %u", af);
422
423 KASSERT(inp->inp_sp != NULL);
424 /* If we have a cached entry, and if it is still valid, use it. */
425 IPSEC_STATINC(IPSEC_STAT_SPDCACHELOOKUP);
426 currsp = ipsec_checkpcbcache(m, inp->inp_sp, dir);
427 if (currsp) {
428 *error = 0;
429 return currsp;
430 }
431 IPSEC_STATINC(IPSEC_STAT_SPDCACHEMISS);
432
433 switch (af) {
434 case AF_INET:
435 #if defined(INET6)
436 case AF_INET6:
437 #endif
438 *error = ipsec_setspidx_inpcb(m, inp);
439 pcbsp = inp->inp_sp;
440 break;
441 default:
442 *error = EPFNOSUPPORT;
443 break;
444 }
445 if (*error)
446 return NULL;
447
448 KASSERT(pcbsp != NULL);
449 switch (dir) {
450 case IPSEC_DIR_INBOUND:
451 currsp = pcbsp->sp_in;
452 break;
453 case IPSEC_DIR_OUTBOUND:
454 currsp = pcbsp->sp_out;
455 break;
456 }
457 KASSERT(currsp != NULL);
458
459 if (pcbsp->priv) { /* when privileged socket */
460 switch (currsp->policy) {
461 case IPSEC_POLICY_BYPASS:
462 case IPSEC_POLICY_IPSEC:
463 KEY_SP_REF(currsp);
464 sp = currsp;
465 break;
466
467 case IPSEC_POLICY_ENTRUST:
468 /* look for a policy in SPD */
469 if (key_havesp(dir))
470 sp = KEY_LOOKUP_SP_BYSPIDX(&currsp->spidx, dir);
471 else
472 sp = NULL;
473 if (sp == NULL) /* no SP found */
474 sp = KEY_GET_DEFAULT_SP(af);
475 break;
476
477 default:
478 IPSECLOG(LOG_ERR, "Invalid policy for PCB %d\n",
479 currsp->policy);
480 *error = EINVAL;
481 return NULL;
482 }
483 } else { /* unpriv, SPD has policy */
484 if (key_havesp(dir))
485 sp = KEY_LOOKUP_SP_BYSPIDX(&currsp->spidx, dir);
486 else
487 sp = NULL;
488 if (sp == NULL) { /* no SP found */
489 switch (currsp->policy) {
490 case IPSEC_POLICY_BYPASS:
491 IPSECLOG(LOG_ERR, "Illegal policy for "
492 "non-priviliged defined %d\n",
493 currsp->policy);
494 *error = EINVAL;
495 return NULL;
496
497 case IPSEC_POLICY_ENTRUST:
498 sp = KEY_GET_DEFAULT_SP(af);
499 break;
500
501 case IPSEC_POLICY_IPSEC:
502 KEY_SP_REF(currsp);
503 sp = currsp;
504 break;
505
506 default:
507 IPSECLOG(LOG_ERR, "Invalid policy for "
508 "PCB %d\n", currsp->policy);
509 *error = EINVAL;
510 return NULL;
511 }
512 }
513 }
514 KASSERTMSG(sp != NULL, "null SP (priv %u policy %u", pcbsp->priv,
515 currsp->policy);
516 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
517 "DP (priv %u policy %u) allocates SP:%p (refcnt %u)\n",
518 pcbsp->priv, currsp->policy, sp, key_sp_refcnt(sp));
519 ipsec_fillpcbcache(pcbsp, m, sp, dir);
520 return sp;
521 }
522
523 /*
524 * For FORWARDING packet or OUTBOUND without a socket. Searching SPD for packet,
525 * and return a pointer to SP.
526 * OUT: positive: a pointer to the entry for security policy leaf matched.
527 * NULL: no appropriate SP found, the following value is set to error.
528 * 0 : bypass
529 * EACCES : discard packet.
530 * ENOENT : ipsec_acquire() in progress, maybe.
531 * others : error occurred.
532 */
533 static struct secpolicy *
ipsec_getpolicybyaddr(struct mbuf * m,u_int dir,int flag,int * error)534 ipsec_getpolicybyaddr(struct mbuf *m, u_int dir, int flag, int *error)
535 {
536 struct secpolicyindex spidx;
537 struct secpolicy *sp;
538
539 KASSERT(m != NULL);
540 KASSERT(error != NULL);
541 KASSERTMSG(IPSEC_DIR_IS_INOROUT(dir), "invalid direction %u", dir);
542
543 sp = NULL;
544
545 /* Make an index to look for a policy. */
546 *error = ipsec_setspidx(m, &spidx, dir, 1);
547 if (*error != 0) {
548 IPSECLOG(LOG_DEBUG, "setpidx failed, dir %u flag %u\n", dir, flag);
549 memset(&spidx, 0, sizeof(spidx));
550 return NULL;
551 }
552
553 spidx.dir = dir;
554
555 if (key_havesp(dir)) {
556 sp = KEY_LOOKUP_SP_BYSPIDX(&spidx, dir);
557 }
558 if (sp == NULL) {
559 /* no SP found, use system default */
560 sp = KEY_GET_DEFAULT_SP(spidx.dst.sa.sa_family);
561 }
562
563 KASSERT(sp != NULL);
564 return sp;
565 }
566
567 static struct secpolicy *
ipsec_checkpolicy(struct mbuf * m,u_int dir,u_int flag,int * error,struct inpcb * inp)568 ipsec_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error,
569 struct inpcb *inp)
570 {
571 struct secpolicy *sp;
572
573 *error = 0;
574
575 if (inp == NULL) {
576 sp = ipsec_getpolicybyaddr(m, dir, flag, error);
577 } else {
578 KASSERT(inp->inp_socket != NULL);
579 sp = ipsec_getpolicybysock(m, dir, inp, error);
580 }
581 if (sp == NULL) {
582 KASSERTMSG(*error != 0, "getpolicy failed w/o error");
583 IPSEC_STATINC(IPSEC_STAT_OUT_INVAL);
584 return NULL;
585 }
586 KASSERTMSG(*error == 0, "sp w/ error set to %u", *error);
587
588 switch (sp->policy) {
589 case IPSEC_POLICY_ENTRUST:
590 default:
591 printf("%s: invalid policy %u\n", __func__, sp->policy);
592 /* fall thru... */
593 case IPSEC_POLICY_DISCARD:
594 IPSEC_STATINC(IPSEC_STAT_OUT_POLVIO);
595 *error = -EINVAL; /* packet is discarded by caller */
596 break;
597 case IPSEC_POLICY_BYPASS:
598 case IPSEC_POLICY_NONE:
599 KEY_SP_UNREF(&sp);
600 sp = NULL; /* NB: force NULL result */
601 break;
602 case IPSEC_POLICY_IPSEC:
603 KASSERT(sp->req != NULL);
604 break;
605 }
606
607 if (*error != 0) {
608 KEY_SP_UNREF(&sp);
609 sp = NULL;
610 IPSECLOG(LOG_DEBUG, "done, error %d\n", *error);
611 }
612
613 return sp;
614 }
615
616 int
ipsec4_output(struct mbuf * m,struct inpcb * inp,int flags,u_long * mtu,bool * natt_frag,bool * done,bool * count_drop)617 ipsec4_output(struct mbuf *m, struct inpcb *inp, int flags,
618 u_long *mtu, bool *natt_frag, bool *done, bool *count_drop)
619 {
620 struct secpolicy *sp = NULL;
621 u_long _mtu = 0;
622 int error;
623
624 /*
625 * Check the security policy (SP) for the packet and, if required,
626 * do IPsec-related processing. There are two cases here; the first
627 * time a packet is sent through it will be untagged and handled by
628 * ipsec_checkpolicy(). If the packet is resubmitted to ip_output
629 * (e.g. after AH, ESP, etc. processing), there will be a tag to
630 * bypass the lookup and related policy checking.
631 */
632 if (ipsec_outdone(m)) {
633 return 0;
634 }
635 if (inp && ipsec_pcb_skip_ipsec(inp->inp_sp, IPSEC_DIR_OUTBOUND)) {
636 return 0;
637 }
638 sp = ipsec_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, inp);
639
640 /*
641 * There are four return cases:
642 * sp != NULL apply IPsec policy
643 * sp == NULL, error == 0 no IPsec handling needed
644 * sp == NULL, error == -EINVAL discard packet w/o error
645 * sp == NULL, error != 0 discard packet, report error
646 */
647 if (sp == NULL) {
648 if (error) {
649 /*
650 * Hack: -EINVAL is used to signal that a packet
651 * should be silently discarded. This is typically
652 * because we asked key management for an SA and
653 * it was delayed (e.g. kicked up to IKE).
654 */
655 if (error == -EINVAL)
656 error = 0;
657 m_freem(m);
658 *done = true;
659 *count_drop = true;
660 return error;
661 }
662 /* No IPsec processing for this packet. */
663 return 0;
664 }
665
666 /*
667 * Do delayed checksums now because we send before
668 * this is done in the normal processing path.
669 */
670 if (m->m_pkthdr.csum_flags & (M_CSUM_TCPv4|M_CSUM_UDPv4)) {
671 in_undefer_cksum_tcpudp(m);
672 m->m_pkthdr.csum_flags &= ~(M_CSUM_TCPv4|M_CSUM_UDPv4);
673 }
674
675 error = ipsec4_process_packet(m, sp->req, &_mtu);
676 if (error == 0 && _mtu != 0) {
677 /*
678 * NAT-T ESP fragmentation: do not do IPSec processing
679 * now, we will do it on each fragmented packet.
680 */
681 *mtu = _mtu;
682 *natt_frag = true;
683 KEY_SP_UNREF(&sp);
684 return 0;
685 }
686
687 /*
688 * Preserve KAME behaviour: ENOENT can be returned
689 * when an SA acquire is in progress. Don't propagate
690 * this to user-level; it confuses applications.
691 *
692 * XXX this will go away when the SADB is redone.
693 */
694 if (error == ENOENT)
695 error = 0;
696 KEY_SP_UNREF(&sp);
697 *done = true;
698 return error;
699 }
700
701 int
ipsec_ip_input_checkpolicy(struct mbuf * m,bool forward)702 ipsec_ip_input_checkpolicy(struct mbuf *m, bool forward)
703 {
704 struct secpolicy *sp;
705 int error;
706
707 error = ipsec_in_reject(m, NULL);
708 if (error) {
709 return EINVAL;
710 }
711
712 if (!forward || !(m->m_flags & M_CANFASTFWD)) {
713 return 0;
714 }
715
716 /*
717 * Peek at the outbound SP for this packet to determine if
718 * it is a Fast Forward candidate.
719 */
720 sp = ipsec_checkpolicy(m, IPSEC_DIR_OUTBOUND, IP_FORWARDING,
721 &error, NULL);
722 if (sp != NULL) {
723 m->m_flags &= ~M_CANFASTFWD;
724 KEY_SP_UNREF(&sp);
725 }
726
727 return 0;
728 }
729
730 /*
731 * If the packet is routed over IPsec tunnel, tell the originator the
732 * tunnel MTU.
733 * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz
734 *
735 * XXX: Quick hack!!!
736 *
737 * XXX: And what if the MTU goes negative?
738 */
739 void
ipsec_mtu(struct mbuf * m,int * destmtu)740 ipsec_mtu(struct mbuf *m, int *destmtu)
741 {
742 struct secpolicy *sp;
743 size_t ipsechdr;
744 int error;
745
746 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, IP_FORWARDING,
747 &error);
748 if (sp == NULL) {
749 return;
750 }
751
752 /* Count IPsec header size. */
753 ipsechdr = ipsec_sp_hdrsiz(sp, m);
754
755 /*
756 * Find the correct route for outer IP header, compute tunnel MTU.
757 */
758 if (sp->req) {
759 struct secasvar *sav;
760
761 sav = ipsec_lookup_sa(sp->req, m);
762 if (sav != NULL) {
763 struct route *ro;
764 struct rtentry *rt;
765
766 ro = &sav->sah->sa_route;
767 rt = rtcache_validate(ro);
768 if (rt && rt->rt_ifp) {
769 *destmtu = rt->rt_rmx.rmx_mtu ?
770 rt->rt_rmx.rmx_mtu : rt->rt_ifp->if_mtu;
771 *destmtu -= ipsechdr;
772 }
773 rtcache_unref(rt, ro);
774 KEY_SA_UNREF(&sav);
775 }
776 }
777 KEY_SP_UNREF(&sp);
778 }
779
780 static int
ipsec_setspidx_inpcb(struct mbuf * m,struct inpcb * inp)781 ipsec_setspidx_inpcb(struct mbuf *m, struct inpcb *inp)
782 {
783 int error;
784
785 KASSERT(inp != NULL);
786 KASSERT(inp->inp_sp != NULL);
787 KASSERT(inp->inp_sp->sp_out != NULL);
788 KASSERT(inp->inp_sp->sp_in != NULL);
789
790 error = ipsec_setspidx(m, &inp->inp_sp->sp_in->spidx,
791 IPSEC_DIR_INBOUND, 1);
792 if (error == 0) {
793 inp->inp_sp->sp_out->spidx = inp->inp_sp->sp_in->spidx;
794 inp->inp_sp->sp_out->spidx.dir = IPSEC_DIR_OUTBOUND;
795 } else {
796 memset(&inp->inp_sp->sp_in->spidx, 0,
797 sizeof(inp->inp_sp->sp_in->spidx));
798 memset(&inp->inp_sp->sp_out->spidx, 0,
799 sizeof(inp->inp_sp->sp_out->spidx));
800 }
801 return error;
802 }
803
804 /*
805 * configure security policy index (src/dst/proto/sport/dport)
806 * by looking at the content of mbuf.
807 * the caller is responsible for error recovery (like clearing up spidx).
808 */
809 static int
ipsec_setspidx(struct mbuf * m,struct secpolicyindex * spidx,int dir,int needport)810 ipsec_setspidx(struct mbuf *m, struct secpolicyindex *spidx, int dir,
811 int needport)
812 {
813 struct ip *ip = NULL;
814 struct ip ipbuf;
815 u_int v;
816 int error;
817
818 KASSERT(m != NULL);
819 M_VERIFY_PACKET(m);
820
821 if (m->m_pkthdr.len < sizeof(struct ip)) {
822 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
823 "pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
824 m->m_pkthdr.len);
825 return EINVAL;
826 }
827
828 memset(spidx, 0, sizeof(*spidx));
829 spidx->dir = dir;
830
831 if (m->m_len >= sizeof(*ip)) {
832 ip = mtod(m, struct ip *);
833 } else {
834 m_copydata(m, 0, sizeof(ipbuf), &ipbuf);
835 ip = &ipbuf;
836 }
837 v = ip->ip_v;
838 switch (v) {
839 case 4:
840 error = ipsec4_setspidx_ipaddr(m, spidx);
841 if (error)
842 return error;
843 ipsec4_get_ulp(m, spidx, needport);
844 return 0;
845 #ifdef INET6
846 case 6:
847 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
848 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
849 "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
850 "ignored.\n", m->m_pkthdr.len);
851 return EINVAL;
852 }
853 error = ipsec6_setspidx_ipaddr(m, spidx);
854 if (error)
855 return error;
856 ipsec6_get_ulp(m, spidx, needport);
857 return 0;
858 #endif
859 default:
860 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
861 "unknown IP version %u, ignored.\n", v);
862 return EINVAL;
863 }
864 }
865
866 static void
ipsec4_get_ulp(struct mbuf * m,struct secpolicyindex * spidx,int needport)867 ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
868 {
869 u_int8_t nxt;
870 int off;
871
872 KASSERT(m != NULL);
873 KASSERTMSG(m->m_pkthdr.len >= sizeof(struct ip), "packet too short");
874
875 /* NB: ip_input() flips it into host endian XXX need more checking */
876 if (m->m_len >= sizeof(struct ip)) {
877 struct ip *ip = mtod(m, struct ip *);
878 if (ip->ip_off & htons(IP_MF | IP_OFFMASK))
879 goto done;
880 off = ip->ip_hl << 2;
881 nxt = ip->ip_p;
882 } else {
883 struct ip ih;
884
885 m_copydata(m, 0, sizeof(struct ip), &ih);
886 if (ih.ip_off & htons(IP_MF | IP_OFFMASK))
887 goto done;
888 off = ih.ip_hl << 2;
889 nxt = ih.ip_p;
890 }
891
892 while (off < m->m_pkthdr.len) {
893 struct ip6_ext ip6e;
894 struct tcphdr th;
895 struct udphdr uh;
896 struct icmp icmph;
897
898 switch (nxt) {
899 case IPPROTO_TCP:
900 spidx->ul_proto = nxt;
901 if (!needport)
902 goto done_proto;
903 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
904 goto done;
905 m_copydata(m, off, sizeof(th), &th);
906 spidx->src.sin.sin_port = th.th_sport;
907 spidx->dst.sin.sin_port = th.th_dport;
908 return;
909 case IPPROTO_UDP:
910 spidx->ul_proto = nxt;
911 if (!needport)
912 goto done_proto;
913 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
914 goto done;
915 m_copydata(m, off, sizeof(uh), &uh);
916 spidx->src.sin.sin_port = uh.uh_sport;
917 spidx->dst.sin.sin_port = uh.uh_dport;
918 return;
919 case IPPROTO_AH:
920 if (off + sizeof(ip6e) > m->m_pkthdr.len)
921 goto done;
922 /* XXX sigh, this works but is totally bogus */
923 m_copydata(m, off, sizeof(ip6e), &ip6e);
924 off += (ip6e.ip6e_len + 2) << 2;
925 nxt = ip6e.ip6e_nxt;
926 break;
927 case IPPROTO_ICMP:
928 spidx->ul_proto = nxt;
929 if (off + sizeof(struct icmp) > m->m_pkthdr.len)
930 goto done;
931 m_copydata(m, off, sizeof(icmph), &icmph);
932 ((struct sockaddr_in *)&spidx->src)->sin_port =
933 htons((uint16_t)icmph.icmp_type);
934 ((struct sockaddr_in *)&spidx->dst)->sin_port =
935 htons((uint16_t)icmph.icmp_code);
936 return;
937 default:
938 /* XXX intermediate headers??? */
939 spidx->ul_proto = nxt;
940 goto done_proto;
941 }
942 }
943 done:
944 spidx->ul_proto = IPSEC_ULPROTO_ANY;
945 done_proto:
946 spidx->src.sin.sin_port = IPSEC_PORT_ANY;
947 spidx->dst.sin.sin_port = IPSEC_PORT_ANY;
948 }
949
950 static int
ipsec4_setspidx_ipaddr(struct mbuf * m,struct secpolicyindex * spidx)951 ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
952 {
953 static const struct sockaddr_in template = {
954 sizeof(struct sockaddr_in),
955 AF_INET,
956 0, { 0 }, { 0, 0, 0, 0, 0, 0, 0, 0 }
957 };
958
959 spidx->src.sin = template;
960 spidx->dst.sin = template;
961
962 if (m->m_len < sizeof(struct ip)) {
963 m_copydata(m, offsetof(struct ip, ip_src),
964 sizeof(struct in_addr), &spidx->src.sin.sin_addr);
965 m_copydata(m, offsetof(struct ip, ip_dst),
966 sizeof(struct in_addr), &spidx->dst.sin.sin_addr);
967 } else {
968 struct ip *ip = mtod(m, struct ip *);
969 spidx->src.sin.sin_addr = ip->ip_src;
970 spidx->dst.sin.sin_addr = ip->ip_dst;
971 }
972
973 spidx->prefs = sizeof(struct in_addr) << 3;
974 spidx->prefd = sizeof(struct in_addr) << 3;
975
976 return 0;
977 }
978
979 #ifdef INET6
980 static void
ipsec6_get_ulp(struct mbuf * m,struct secpolicyindex * spidx,int needport)981 ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
982 {
983 int off, nxt;
984 struct tcphdr th;
985 struct udphdr uh;
986 struct icmp6_hdr icmph;
987
988 KASSERT(m != NULL);
989
990 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) {
991 kdebug_mbuf(__func__, m);
992 }
993
994 /* set default */
995 spidx->ul_proto = IPSEC_ULPROTO_ANY;
996 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
997 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
998
999 nxt = -1;
1000 off = ip6_lasthdr(m, 0, IPPROTO_IPV6, &nxt);
1001 if (off < 0 || m->m_pkthdr.len < off)
1002 return;
1003
1004 switch (nxt) {
1005 case IPPROTO_TCP:
1006 spidx->ul_proto = nxt;
1007 if (!needport)
1008 break;
1009 if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
1010 break;
1011 m_copydata(m, off, sizeof(th), &th);
1012 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
1013 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
1014 break;
1015 case IPPROTO_UDP:
1016 spidx->ul_proto = nxt;
1017 if (!needport)
1018 break;
1019 if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1020 break;
1021 m_copydata(m, off, sizeof(uh), &uh);
1022 ((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
1023 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
1024 break;
1025 case IPPROTO_ICMPV6:
1026 spidx->ul_proto = nxt;
1027 if (off + sizeof(struct icmp6_hdr) > m->m_pkthdr.len)
1028 break;
1029 m_copydata(m, off, sizeof(icmph), &icmph);
1030 ((struct sockaddr_in6 *)&spidx->src)->sin6_port =
1031 htons((uint16_t)icmph.icmp6_type);
1032 ((struct sockaddr_in6 *)&spidx->dst)->sin6_port =
1033 htons((uint16_t)icmph.icmp6_code);
1034 break;
1035 default:
1036 /* XXX intermediate headers??? */
1037 spidx->ul_proto = nxt;
1038 break;
1039 }
1040 }
1041
1042 static int
ipsec6_setspidx_ipaddr(struct mbuf * m,struct secpolicyindex * spidx)1043 ipsec6_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
1044 {
1045 struct ip6_hdr *ip6 = NULL;
1046 struct ip6_hdr ip6buf;
1047 struct sockaddr_in6 *sin6;
1048
1049 if (m->m_len >= sizeof(*ip6)) {
1050 ip6 = mtod(m, struct ip6_hdr *);
1051 } else {
1052 m_copydata(m, 0, sizeof(ip6buf), &ip6buf);
1053 ip6 = &ip6buf;
1054 }
1055
1056 sin6 = (struct sockaddr_in6 *)&spidx->src;
1057 memset(sin6, 0, sizeof(*sin6));
1058 sin6->sin6_family = AF_INET6;
1059 sin6->sin6_len = sizeof(struct sockaddr_in6);
1060 memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src));
1061 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
1062 sin6->sin6_addr.s6_addr16[1] = 0;
1063 sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
1064 }
1065 spidx->prefs = sizeof(struct in6_addr) << 3;
1066
1067 sin6 = (struct sockaddr_in6 *)&spidx->dst;
1068 memset(sin6, 0, sizeof(*sin6));
1069 sin6->sin6_family = AF_INET6;
1070 sin6->sin6_len = sizeof(struct sockaddr_in6);
1071 memcpy(&sin6->sin6_addr, &ip6->ip6_dst, sizeof(ip6->ip6_dst));
1072 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
1073 sin6->sin6_addr.s6_addr16[1] = 0;
1074 sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
1075 }
1076 spidx->prefd = sizeof(struct in6_addr) << 3;
1077
1078 return 0;
1079 }
1080 #endif
1081
1082 static void
ipsec_delpcbpolicy(struct inpcbpolicy * p)1083 ipsec_delpcbpolicy(struct inpcbpolicy *p)
1084 {
1085
1086 kmem_intr_free(p, sizeof(*p));
1087 }
1088
1089 int
ipsec_init_pcbpolicy(struct socket * so,struct inpcbpolicy ** policy)1090 ipsec_init_pcbpolicy(struct socket *so, struct inpcbpolicy **policy)
1091 {
1092 struct inpcbpolicy *new;
1093
1094 KASSERT(so != NULL);
1095 KASSERT(policy != NULL);
1096
1097 new = kmem_intr_zalloc(sizeof(*new), KM_NOSLEEP);
1098 if (new == NULL) {
1099 IPSECLOG(LOG_DEBUG, "No more memory.\n");
1100 return ENOBUFS;
1101 }
1102
1103 if (IPSEC_PRIVILEGED_SO(so))
1104 new->priv = 1;
1105 else
1106 new->priv = 0;
1107
1108 /*
1109 * Set dummy SPs. Actual SPs will be allocated later if needed.
1110 */
1111 new->sp_in = &ipsec_dummy_sp;
1112 new->sp_out = &ipsec_dummy_sp;
1113
1114 *policy = new;
1115
1116 return 0;
1117 }
1118
1119 static void
ipsec_destroy_policy(struct secpolicy * sp)1120 ipsec_destroy_policy(struct secpolicy *sp)
1121 {
1122
1123 if (sp == &ipsec_dummy_sp) {
1124 ; /* It's dummy. No need to free it. */
1125 } else {
1126 /*
1127 * We cannot destroy here because it can be called in
1128 * softint. So mark the SP as DEAD and let the timer
1129 * destroy it. See key_timehandler_spd.
1130 */
1131 sp->state = IPSEC_SPSTATE_DEAD;
1132 }
1133 }
1134
1135 int
ipsec_set_policy(struct inpcb * inp,const void * request,size_t len,kauth_cred_t cred)1136 ipsec_set_policy(struct inpcb *inp, const void *request, size_t len,
1137 kauth_cred_t cred)
1138 {
1139 const struct sadb_x_policy *xpl;
1140 struct secpolicy *newsp, *oldsp;
1141 struct secpolicy **policy;
1142 int error;
1143
1144 KASSERT(!cpu_softintr_p());
1145 KASSERT(inp != NULL);
1146 KASSERT(inp_locked(inp));
1147 KASSERT(request != NULL);
1148
1149 if (len < sizeof(*xpl))
1150 return EINVAL;
1151 xpl = (const struct sadb_x_policy *)request;
1152
1153 KASSERT(inp->inp_sp != NULL);
1154
1155 /* select direction */
1156 switch (xpl->sadb_x_policy_dir) {
1157 case IPSEC_DIR_INBOUND:
1158 policy = &inp->inp_sp->sp_in;
1159 break;
1160 case IPSEC_DIR_OUTBOUND:
1161 policy = &inp->inp_sp->sp_out;
1162 break;
1163 default:
1164 IPSECLOG(LOG_ERR, "invalid direction=%u\n",
1165 xpl->sadb_x_policy_dir);
1166 return EINVAL;
1167 }
1168
1169 /* sanity check. */
1170 if (policy == NULL || *policy == NULL)
1171 return EINVAL;
1172
1173 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) {
1174 kdebug_sadb_xpolicy("set passed policy", request);
1175 }
1176
1177 /* check policy type */
1178 /* ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. */
1179 if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD ||
1180 xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
1181 return EINVAL;
1182
1183 /* check privileged socket */
1184 if (xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS) {
1185 error = kauth_authorize_network(cred, KAUTH_NETWORK_IPSEC,
1186 KAUTH_REQ_NETWORK_IPSEC_BYPASS, NULL, NULL, NULL);
1187 if (error)
1188 return error;
1189 }
1190
1191 /* allocation new SP entry */
1192 if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
1193 return error;
1194
1195 key_init_sp(newsp);
1196 newsp->created = time_uptime;
1197 /* Insert the global list for SPs for sockets */
1198 key_socksplist_add(newsp);
1199
1200 /* clear old SP and set new SP */
1201 oldsp = *policy;
1202 *policy = newsp;
1203 ipsec_destroy_policy(oldsp);
1204
1205 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) {
1206 printf("%s: new policy\n", __func__);
1207 kdebug_secpolicy(newsp);
1208 }
1209
1210 return 0;
1211 }
1212
1213 int
ipsec_get_policy(struct inpcb * inp,const void * request,size_t len,struct mbuf ** mp)1214 ipsec_get_policy(struct inpcb *inp, const void *request, size_t len,
1215 struct mbuf **mp)
1216 {
1217 const struct sadb_x_policy *xpl;
1218 struct secpolicy *policy;
1219
1220 /* sanity check. */
1221 if (inp == NULL || request == NULL || mp == NULL)
1222 return EINVAL;
1223 KASSERT(inp->inp_sp != NULL);
1224 if (len < sizeof(*xpl))
1225 return EINVAL;
1226 xpl = (const struct sadb_x_policy *)request;
1227
1228 /* select direction */
1229 switch (xpl->sadb_x_policy_dir) {
1230 case IPSEC_DIR_INBOUND:
1231 policy = inp->inp_sp->sp_in;
1232 break;
1233 case IPSEC_DIR_OUTBOUND:
1234 policy = inp->inp_sp->sp_out;
1235 break;
1236 default:
1237 IPSECLOG(LOG_ERR, "invalid direction=%u\n",
1238 xpl->sadb_x_policy_dir);
1239 return EINVAL;
1240 }
1241
1242 if (policy == NULL)
1243 return EINVAL;
1244
1245 *mp = key_sp2msg(policy, M_NOWAIT);
1246 if (!*mp) {
1247 IPSECLOG(LOG_DEBUG, "No more memory.\n");
1248 return ENOBUFS;
1249 }
1250
1251 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DUMP)) {
1252 kdebug_mbuf(__func__, *mp);
1253 }
1254
1255 return 0;
1256 }
1257
1258 int
ipsec_delete_pcbpolicy(struct inpcb * inp)1259 ipsec_delete_pcbpolicy(struct inpcb *inp)
1260 {
1261
1262 KASSERT(inp != NULL);
1263
1264 if (inp->inp_sp == NULL)
1265 return 0;
1266
1267 if (inp->inp_sp->sp_in != NULL)
1268 ipsec_destroy_policy(inp->inp_sp->sp_in);
1269
1270 if (inp->inp_sp->sp_out != NULL)
1271 ipsec_destroy_policy(inp->inp_sp->sp_out);
1272
1273 ipsec_invalpcbcache(inp->inp_sp, IPSEC_DIR_ANY);
1274
1275 ipsec_delpcbpolicy(inp->inp_sp);
1276 inp->inp_sp = NULL;
1277
1278 return 0;
1279 }
1280
1281 /*
1282 * Return the current level (either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE).
1283 */
1284 u_int
ipsec_get_reqlevel(const struct ipsecrequest * isr)1285 ipsec_get_reqlevel(const struct ipsecrequest *isr)
1286 {
1287 u_int level = 0;
1288 u_int esp_trans_deflev, esp_net_deflev;
1289 u_int ah_trans_deflev, ah_net_deflev;
1290
1291 KASSERT(isr != NULL);
1292 KASSERT(isr->sp != NULL);
1293 KASSERTMSG(
1294 isr->sp->spidx.src.sa.sa_family == isr->sp->spidx.dst.sa.sa_family,
1295 "af family mismatch, src %u, dst %u",
1296 isr->sp->spidx.src.sa.sa_family, isr->sp->spidx.dst.sa.sa_family);
1297
1298 /* XXX note that we have ipseclog() expanded here - code sync issue */
1299 #define IPSEC_CHECK_DEFAULT(lev) \
1300 (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \
1301 && (lev) != IPSEC_LEVEL_UNIQUE) ? \
1302 (ipsec_debug ? log(LOG_INFO, "fixed system default level " #lev \
1303 ":%d->%d\n", (lev), IPSEC_LEVEL_REQUIRE) : (void)0), \
1304 (lev) = IPSEC_LEVEL_REQUIRE, (lev) \
1305 : (lev))
1306
1307 /* set default level */
1308 switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) {
1309 #ifdef INET
1310 case AF_INET:
1311 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev);
1312 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev);
1313 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev);
1314 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev);
1315 break;
1316 #endif
1317 #ifdef INET6
1318 case AF_INET6:
1319 esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev);
1320 esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev);
1321 ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev);
1322 ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev);
1323 break;
1324 #endif
1325 default:
1326 panic("%s: unknown af %u", __func__,
1327 isr->sp->spidx.src.sa.sa_family);
1328 }
1329
1330 #undef IPSEC_CHECK_DEFAULT
1331
1332 /* set level */
1333 switch (isr->level) {
1334 case IPSEC_LEVEL_DEFAULT:
1335 switch (isr->saidx.proto) {
1336 case IPPROTO_ESP:
1337 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1338 level = esp_net_deflev;
1339 else
1340 level = esp_trans_deflev;
1341 break;
1342 case IPPROTO_AH:
1343 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1344 level = ah_net_deflev;
1345 else
1346 level = ah_trans_deflev;
1347 break;
1348 case IPPROTO_IPCOMP:
1349 /*
1350 * we don't really care, as IPcomp document says that
1351 * we shouldn't compress small packets
1352 */
1353 level = IPSEC_LEVEL_USE;
1354 break;
1355 default:
1356 panic("%s: Illegal protocol defined %u", __func__,
1357 isr->saidx.proto);
1358 }
1359 break;
1360
1361 case IPSEC_LEVEL_USE:
1362 case IPSEC_LEVEL_REQUIRE:
1363 level = isr->level;
1364 break;
1365 case IPSEC_LEVEL_UNIQUE:
1366 level = IPSEC_LEVEL_REQUIRE;
1367 break;
1368
1369 default:
1370 panic("%s: Illegal IPsec level %u", __func__, isr->level);
1371 }
1372
1373 return level;
1374 }
1375
1376 /*
1377 * Check security policy requirements against the actual packet contents.
1378 *
1379 * If the SP requires an IPsec packet, and the packet was neither AH nor ESP,
1380 * then kick it.
1381 */
1382 static int
ipsec_sp_reject(const struct secpolicy * sp,const struct mbuf * m)1383 ipsec_sp_reject(const struct secpolicy *sp, const struct mbuf *m)
1384 {
1385 struct ipsecrequest *isr;
1386
1387 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) {
1388 printf("%s: using SP\n", __func__);
1389 kdebug_secpolicy(sp);
1390 }
1391
1392 /* check policy */
1393 switch (sp->policy) {
1394 case IPSEC_POLICY_DISCARD:
1395 return 1;
1396 case IPSEC_POLICY_BYPASS:
1397 case IPSEC_POLICY_NONE:
1398 return 0;
1399 }
1400
1401 KASSERTMSG(sp->policy == IPSEC_POLICY_IPSEC,
1402 "invalid policy %u", sp->policy);
1403
1404 /* XXX should compare policy against ipsec header history */
1405
1406 for (isr = sp->req; isr != NULL; isr = isr->next) {
1407 if (ipsec_get_reqlevel(isr) != IPSEC_LEVEL_REQUIRE)
1408 continue;
1409 switch (isr->saidx.proto) {
1410 case IPPROTO_ESP:
1411 if ((m->m_flags & M_DECRYPTED) == 0) {
1412 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
1413 "ESP m_flags:%x\n", m->m_flags);
1414 return 1;
1415 }
1416 break;
1417 case IPPROTO_AH:
1418 if ((m->m_flags & M_AUTHIPHDR) == 0) {
1419 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DUMP,
1420 "AH m_flags:%x\n", m->m_flags);
1421 return 1;
1422 }
1423 break;
1424 case IPPROTO_IPCOMP:
1425 /*
1426 * We don't really care, as IPcomp document
1427 * says that we shouldn't compress small
1428 * packets, IPComp policy should always be
1429 * treated as being in "use" level.
1430 */
1431 break;
1432 }
1433 }
1434
1435 return 0;
1436 }
1437
1438 /*
1439 * Check security policy requirements.
1440 */
1441 int
ipsec_in_reject(struct mbuf * m,struct inpcb * inp)1442 ipsec_in_reject(struct mbuf *m, struct inpcb *inp)
1443 {
1444 struct secpolicy *sp;
1445 int error;
1446 int result;
1447
1448 KASSERT(m != NULL);
1449
1450 if (inp == NULL)
1451 sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
1452 IP_FORWARDING, &error);
1453 else
1454 sp = ipsec_getpolicybysock(m, IPSEC_DIR_INBOUND,
1455 inp, &error);
1456
1457 if (sp != NULL) {
1458 result = ipsec_sp_reject(sp, m);
1459 if (result)
1460 IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
1461 KEY_SP_UNREF(&sp);
1462 } else {
1463 result = 0;
1464 }
1465 return result;
1466 }
1467
1468 /*
1469 * Compute the byte size to be occupied by the IPsec header. If it is
1470 * tunneled, it includes the size of outer IP header.
1471 */
1472 static size_t
ipsec_sp_hdrsiz(const struct secpolicy * sp,const struct mbuf * m)1473 ipsec_sp_hdrsiz(const struct secpolicy *sp, const struct mbuf *m)
1474 {
1475 struct ipsecrequest *isr;
1476 size_t siz;
1477
1478 if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) {
1479 printf("%s: using SP\n", __func__);
1480 kdebug_secpolicy(sp);
1481 }
1482
1483 switch (sp->policy) {
1484 case IPSEC_POLICY_DISCARD:
1485 case IPSEC_POLICY_BYPASS:
1486 case IPSEC_POLICY_NONE:
1487 return 0;
1488 }
1489
1490 KASSERTMSG(sp->policy == IPSEC_POLICY_IPSEC,
1491 "invalid policy %u", sp->policy);
1492
1493 siz = 0;
1494 for (isr = sp->req; isr != NULL; isr = isr->next) {
1495 size_t clen = 0;
1496 struct secasvar *sav;
1497
1498 switch (isr->saidx.proto) {
1499 case IPPROTO_ESP:
1500 sav = ipsec_lookup_sa(isr, m);
1501 if (sav != NULL) {
1502 clen = esp_hdrsiz(sav);
1503 KEY_SA_UNREF(&sav);
1504 } else
1505 clen = esp_hdrsiz(NULL);
1506 break;
1507 case IPPROTO_AH:
1508 sav = ipsec_lookup_sa(isr, m);
1509 if (sav != NULL) {
1510 clen = ah_hdrsiz(sav);
1511 KEY_SA_UNREF(&sav);
1512 } else
1513 clen = ah_hdrsiz(NULL);
1514 break;
1515 case IPPROTO_IPCOMP:
1516 clen = sizeof(struct ipcomp);
1517 break;
1518 }
1519
1520 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
1521 switch (isr->saidx.dst.sa.sa_family) {
1522 case AF_INET:
1523 clen += sizeof(struct ip);
1524 break;
1525 #ifdef INET6
1526 case AF_INET6:
1527 clen += sizeof(struct ip6_hdr);
1528 break;
1529 #endif
1530 default:
1531 IPSECLOG(LOG_ERR, "unknown AF %d in "
1532 "IPsec tunnel SA\n",
1533 ((const struct sockaddr *)&isr->saidx.dst)
1534 ->sa_family);
1535 break;
1536 }
1537 }
1538 siz += clen;
1539 }
1540
1541 return siz;
1542 }
1543
1544 size_t
ipsec_hdrsiz(struct mbuf * m,u_int dir,struct inpcb * inp)1545 ipsec_hdrsiz(struct mbuf *m, u_int dir, struct inpcb *inp)
1546 {
1547 struct secpolicy *sp;
1548 int error;
1549 size_t size;
1550
1551 KASSERT(m != NULL);
1552 KASSERTMSG(inp == NULL || inp->inp_socket != NULL,
1553 "socket w/o inpcb");
1554
1555 if (inp == NULL)
1556 sp = ipsec_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
1557 else
1558 sp = ipsec_getpolicybysock(m, dir, inp, &error);
1559
1560 if (sp != NULL) {
1561 size = ipsec_sp_hdrsiz(sp, m);
1562 KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_DATA, "size:%zu.\n", size);
1563 KEY_SP_UNREF(&sp);
1564 } else {
1565 size = 0;
1566 }
1567
1568 return size;
1569 }
1570
1571 /*
1572 * Check the variable replay window.
1573 * ipsec_chkreplay() performs replay check before ICV verification.
1574 * ipsec_updatereplay() updates replay bitmap. This must be called after
1575 * ICV verification (it also performs replay check, which is usually done
1576 * beforehand).
1577 * 0 (zero) is returned if packet disallowed, 1 if packet permitted.
1578 *
1579 * based on RFC 2401.
1580 */
1581 int
ipsec_chkreplay(u_int32_t seq,const struct secasvar * sav)1582 ipsec_chkreplay(u_int32_t seq, const struct secasvar *sav)
1583 {
1584 const struct secreplay *replay;
1585 u_int32_t diff;
1586 int fr;
1587 u_int32_t wsizeb; /* constant: bits of window size */
1588 int frlast; /* constant: last frame */
1589
1590 KASSERT(sav != NULL);
1591 KASSERT(sav->replay != NULL);
1592
1593 replay = sav->replay;
1594
1595 if (replay->wsize == 0)
1596 return 1; /* no need to check replay. */
1597
1598 /* constant */
1599 frlast = replay->wsize - 1;
1600 wsizeb = replay->wsize << 3;
1601
1602 /* sequence number of 0 is invalid */
1603 if (seq == 0)
1604 return 0;
1605
1606 /* first time is always okay */
1607 if (replay->count == 0)
1608 return 1;
1609
1610 if (seq > replay->lastseq) {
1611 /* larger sequences are okay */
1612 return 1;
1613 } else {
1614 /* seq is equal or less than lastseq. */
1615 diff = replay->lastseq - seq;
1616
1617 /* over range to check, i.e. too old or wrapped */
1618 if (diff >= wsizeb)
1619 return 0;
1620
1621 fr = frlast - diff / 8;
1622
1623 /* this packet already seen ? */
1624 if ((replay->bitmap)[fr] & (1 << (diff % 8)))
1625 return 0;
1626
1627 /* out of order but good */
1628 return 1;
1629 }
1630 }
1631
1632 /*
1633 * check replay counter whether to update or not.
1634 * OUT: 0: OK
1635 * 1: NG
1636 */
1637 int
ipsec_updatereplay(u_int32_t seq,const struct secasvar * sav)1638 ipsec_updatereplay(u_int32_t seq, const struct secasvar *sav)
1639 {
1640 struct secreplay *replay;
1641 u_int32_t diff;
1642 int fr;
1643 u_int32_t wsizeb; /* constant: bits of window size */
1644 int frlast; /* constant: last frame */
1645
1646 KASSERT(sav != NULL);
1647 KASSERT(sav->replay != NULL);
1648
1649 replay = sav->replay;
1650
1651 if (replay->wsize == 0)
1652 goto ok; /* no need to check replay. */
1653
1654 /* constant */
1655 frlast = replay->wsize - 1;
1656 wsizeb = replay->wsize << 3;
1657
1658 /* sequence number of 0 is invalid */
1659 if (seq == 0)
1660 return 1;
1661
1662 /* first time */
1663 if (replay->count == 0) {
1664 replay->lastseq = seq;
1665 memset(replay->bitmap, 0, replay->wsize);
1666 (replay->bitmap)[frlast] = 1;
1667 goto ok;
1668 }
1669
1670 if (seq > replay->lastseq) {
1671 /* seq is larger than lastseq. */
1672 diff = seq - replay->lastseq;
1673
1674 /* new larger sequence number */
1675 if (diff < wsizeb) {
1676 /* In window */
1677 /* set bit for this packet */
1678 vshiftl(replay->bitmap, diff, replay->wsize);
1679 (replay->bitmap)[frlast] |= 1;
1680 } else {
1681 /* this packet has a "way larger" */
1682 memset(replay->bitmap, 0, replay->wsize);
1683 (replay->bitmap)[frlast] = 1;
1684 }
1685 replay->lastseq = seq;
1686
1687 /* larger is good */
1688 } else {
1689 /* seq is equal or less than lastseq. */
1690 diff = replay->lastseq - seq;
1691
1692 /* over range to check, i.e. too old or wrapped */
1693 if (diff >= wsizeb)
1694 return 1;
1695
1696 fr = frlast - diff / 8;
1697
1698 /* this packet already seen ? */
1699 if ((replay->bitmap)[fr] & (1 << (diff % 8)))
1700 return 1;
1701
1702 /* mark as seen */
1703 (replay->bitmap)[fr] |= (1 << (diff % 8));
1704
1705 /* out of order but good */
1706 }
1707
1708 ok:
1709 if (replay->count == ~0) {
1710 char buf[IPSEC_LOGSASTRLEN];
1711
1712 /* set overflow flag */
1713 replay->overflow++;
1714
1715 /* don't increment, no more packets accepted */
1716 if ((sav->flags & SADB_X_EXT_CYCSEQ) == 0)
1717 return 1;
1718
1719 IPSECLOG(LOG_WARNING, "replay counter made %d cycle. %s\n",
1720 replay->overflow, ipsec_logsastr(sav, buf, sizeof(buf)));
1721 }
1722
1723 replay->count++;
1724
1725 return 0;
1726 }
1727
1728 /*
1729 * shift variable length buffer to left.
1730 * IN: bitmap: pointer to the buffer
1731 * nbit: the number of to shift.
1732 * wsize: buffer size (bytes).
1733 */
1734 static void
vshiftl(unsigned char * bitmap,int nbit,int wsize)1735 vshiftl(unsigned char *bitmap, int nbit, int wsize)
1736 {
1737 int s, j, i;
1738 unsigned char over;
1739
1740 for (j = 0; j < nbit; j += 8) {
1741 s = (nbit - j < 8) ? (nbit - j): 8;
1742 bitmap[0] <<= s;
1743 for (i = 1; i < wsize; i++) {
1744 over = (bitmap[i] >> (8 - s));
1745 bitmap[i] <<= s;
1746 bitmap[i-1] |= over;
1747 }
1748 }
1749
1750 return;
1751 }
1752
1753 /* Return a printable string for the address. */
1754 const char *
ipsec_address(const union sockaddr_union * sa,char * buf,size_t size)1755 ipsec_address(const union sockaddr_union *sa, char *buf, size_t size)
1756 {
1757 switch (sa->sa.sa_family) {
1758 case AF_INET:
1759 in_print(buf, size, &sa->sin.sin_addr);
1760 return buf;
1761 #if INET6
1762 case AF_INET6:
1763 in6_print(buf, size, &sa->sin6.sin6_addr);
1764 return buf;
1765 #endif
1766 default:
1767 return "(unknown address family)";
1768 }
1769 }
1770
1771 const char *
ipsec_logsastr(const struct secasvar * sav,char * buf,size_t size)1772 ipsec_logsastr(const struct secasvar *sav, char *buf, size_t size)
1773 {
1774 const struct secasindex *saidx = &sav->sah->saidx;
1775 char sbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
1776
1777 KASSERTMSG(saidx->src.sa.sa_family == saidx->dst.sa.sa_family,
1778 "af family mismatch, src %u, dst %u",
1779 saidx->src.sa.sa_family, saidx->dst.sa.sa_family);
1780
1781 snprintf(buf, size, "SA(SPI=%u src=%s dst=%s)",
1782 (u_int32_t)ntohl(sav->spi),
1783 ipsec_address(&saidx->src, sbuf, sizeof(sbuf)),
1784 ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)));
1785
1786 return buf;
1787 }
1788
1789 #ifdef INET6
1790 struct secpolicy *
ipsec6_check_policy(struct mbuf * m,struct inpcb * inp,int flags,int * needipsecp,int * errorp)1791 ipsec6_check_policy(struct mbuf *m, struct inpcb *inp, int flags,
1792 int *needipsecp, int *errorp)
1793 {
1794 struct secpolicy *sp = NULL;
1795 int error = 0;
1796 int needipsec = 0;
1797
1798 if (ipsec_outdone(m)) {
1799 goto skippolicycheck;
1800 }
1801 if (inp && ipsec_pcb_skip_ipsec(inp->inp_sp, IPSEC_DIR_OUTBOUND)) {
1802 goto skippolicycheck;
1803 }
1804 sp = ipsec_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, inp);
1805
1806 /*
1807 * There are four return cases:
1808 * sp != NULL apply IPsec policy
1809 * sp == NULL, error == 0 no IPsec handling needed
1810 * sp == NULL, error == -EINVAL discard packet w/o error
1811 * sp == NULL, error != 0 discard packet, report error
1812 */
1813 if (sp == NULL) {
1814 needipsec = 0;
1815 } else {
1816 needipsec = 1;
1817 }
1818
1819 skippolicycheck:
1820 *errorp = error;
1821 *needipsecp = needipsec;
1822 return sp;
1823 }
1824
1825 /*
1826 * calculate UDP checksum for UDP encapsulated ESP for IPv6.
1827 *
1828 * RFC2460(Internet Protocol, Version 6 Specification) says:
1829 *
1830 * IPv6 receivers MUST discard UDP packets with a zero checksum.
1831 *
1832 * There is more relaxed specification RFC6935(IPv6 and UDP Checksums for
1833 * Tunneled Packets). The document allows zero checksum. It's too
1834 * late to publish, there are a lot of interoperability problems...
1835 */
1836 void
ipsec6_udp_cksum(struct mbuf * m)1837 ipsec6_udp_cksum(struct mbuf *m)
1838 {
1839 struct ip6_hdr *ip6;
1840 uint16_t plen, uh_sum;
1841 int off;
1842
1843 /* must called after m_pullup() */
1844 KASSERT(m->m_len >= sizeof(struct ip6_hdr));
1845
1846 ip6 = mtod(m, struct ip6_hdr *);
1847 KASSERT(ip6->ip6_nxt == IPPROTO_UDP);
1848
1849 /* ip6->ip6_plen can not be updated before ip6_output() */
1850 plen = m->m_pkthdr.len - sizeof(*ip6);
1851 KASSERT(plen >= sizeof(struct udphdr));
1852
1853 uh_sum = in6_cksum(m, IPPROTO_UDP, sizeof(*ip6), plen);
1854 if (uh_sum == 0)
1855 uh_sum = 0xffff;
1856
1857 off = sizeof(*ip6) + offsetof(struct udphdr, uh_sum);
1858 m_copyback(m, off, sizeof(uh_sum), (void *)&uh_sum);
1859 }
1860 #endif /* INET6 */
1861
1862 /*
1863 * -----------------------------------------------------------------------------
1864 */
1865
1866 /* XXX this stuff doesn't belong here... */
1867
1868 static struct xformsw *xforms = NULL;
1869
1870 /*
1871 * Register a transform; typically at system startup.
1872 */
1873 void
xform_register(struct xformsw * xsp)1874 xform_register(struct xformsw *xsp)
1875 {
1876 xsp->xf_next = xforms;
1877 xforms = xsp;
1878 }
1879
1880 /*
1881 * Initialize transform support in an sav.
1882 */
1883 int
xform_init(struct secasvar * sav,int xftype)1884 xform_init(struct secasvar *sav, int xftype)
1885 {
1886 struct xformsw *xsp;
1887
1888 if (sav->tdb_xform != NULL) /* previously initialized */
1889 return 0;
1890 for (xsp = xforms; xsp; xsp = xsp->xf_next)
1891 if (xsp->xf_type == xftype)
1892 return (*xsp->xf_init)(sav, xsp);
1893
1894 IPSECLOG(LOG_DEBUG, "no match for xform type %d\n", xftype);
1895 return EINVAL;
1896 }
1897
1898 /*
1899 * XXXJRT This should be done as a protosw init call.
1900 */
1901 void
ipsec_attach(void)1902 ipsec_attach(void)
1903 {
1904
1905 ipsec_output_init();
1906
1907 ipsecstat_percpu = percpu_alloc(sizeof(uint64_t) * IPSEC_NSTATS);
1908
1909 sysctl_net_inet_ipsec_setup(NULL);
1910 #ifdef INET6
1911 sysctl_net_inet6_ipsec6_setup(NULL);
1912 #endif
1913
1914 ah_attach();
1915 esp_attach();
1916 ipcomp_attach();
1917 ipe4_attach();
1918 #ifdef TCP_SIGNATURE
1919 tcpsignature_attach();
1920 #endif
1921 }
1922