1 /* $OpenBSD: ip_ipsp.c,v 1.193 2014/01/09 06:29:06 tedu Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr), 5 * Niels Provos (provos@physnet.uni-hamburg.de) and 6 * Niklas Hallqvist (niklas@appli.se). 7 * 8 * The original version of this code was written by John Ioannidis 9 * for BSD/OS in Athens, Greece, in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis and Niklas Hallqvist. 18 * 19 * Copyright (c) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 20 * Angelos D. Keromytis and Niels Provos. 21 * Copyright (c) 1999 Niklas Hallqvist. 22 * Copyright (c) 2001, Angelos D. Keromytis. 23 * 24 * Permission to use, copy, and modify this software with or without fee 25 * is hereby granted, provided that this entire notice is included in 26 * all copies of any software which is or includes a copy or 27 * modification of this software. 28 * You may use this code under the GNU public license if you so wish. Please 29 * contribute changes back to the authors under this freer than GPL license 30 * so that we may further the use of strong encryption without limitations to 31 * all. 32 * 33 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 34 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 35 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 36 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 37 * PURPOSE. 38 */ 39 40 #include "pf.h" 41 #include "pfsync.h" 42 43 #include <sys/param.h> 44 #include <sys/mbuf.h> 45 #include <sys/socket.h> 46 #include <sys/kernel.h> 47 #include <sys/proc.h> 48 #include <sys/sysctl.h> 49 #include <sys/timeout.h> 50 51 #include <net/if.h> 52 #include <net/route.h> 53 54 #if NPF > 0 55 #include <net/pfvar.h> 56 #endif 57 58 #if NPFSYNC > 0 59 #include <net/if_pfsync.h> 60 #endif 61 62 #ifdef INET 63 #include <netinet/in.h> 64 #include <netinet/in_systm.h> 65 #include <netinet/ip.h> 66 #include <netinet/in_pcb.h> 67 #include <netinet/ip_var.h> 68 #endif /* INET */ 69 70 #ifdef INET6 71 #ifndef INET 72 #include <netinet/in.h> 73 #endif 74 #endif /* INET6 */ 75 76 #include <netinet/ip_ipsp.h> 77 #include <net/pfkeyv2.h> 78 #include <crypto/xform.h> 79 #include <dev/rndvar.h> 80 81 #ifdef DDB 82 #include <ddb/db_output.h> 83 void tdb_hashstats(void); 84 #endif 85 86 #ifdef ENCDEBUG 87 #define DPRINTF(x) if (encdebug) printf x 88 #else 89 #define DPRINTF(x) 90 #endif 91 92 void tdb_rehash(void); 93 void tdb_timeout(void *v); 94 void tdb_firstuse(void *v); 95 void tdb_soft_timeout(void *v); 96 void tdb_soft_firstuse(void *v); 97 int tdb_hash(u_int, u_int32_t, union sockaddr_union *, u_int8_t); 98 99 int ipsec_in_use = 0; 100 u_int64_t ipsec_last_added = 0; 101 102 struct ipsec_policy_head ipsec_policy_head = 103 TAILQ_HEAD_INITIALIZER(ipsec_policy_head); 104 struct ipsec_acquire_head ipsec_acquire_head = 105 TAILQ_HEAD_INITIALIZER(ipsec_acquire_head); 106 107 /* 108 * This is the proper place to define the various encapsulation transforms. 109 */ 110 111 struct xformsw xformsw[] = { 112 #ifdef IPSEC 113 { XF_IP4, 0, "IPv4 Simple Encapsulation", 114 ipe4_attach, ipe4_init, ipe4_zeroize, 115 (int (*)(struct mbuf *, struct tdb *, int, int))ipe4_input, 116 ipip_output, }, 117 { XF_AH, XFT_AUTH, "IPsec AH", 118 ah_attach, ah_init, ah_zeroize, 119 ah_input, ah_output, }, 120 { XF_ESP, XFT_CONF|XFT_AUTH, "IPsec ESP", 121 esp_attach, esp_init, esp_zeroize, 122 esp_input, esp_output, }, 123 { XF_IPCOMP, XFT_COMP, "IPcomp", 124 ipcomp_attach, ipcomp_init, ipcomp_zeroize, 125 ipcomp_input, ipcomp_output, }, 126 #endif /* IPSEC */ 127 #ifdef TCP_SIGNATURE 128 { XF_TCPSIGNATURE, XFT_AUTH, "TCP MD5 Signature Option, RFC 2385", 129 tcp_signature_tdb_attach, tcp_signature_tdb_init, 130 tcp_signature_tdb_zeroize, tcp_signature_tdb_input, 131 tcp_signature_tdb_output, } 132 #endif /* TCP_SIGNATURE */ 133 }; 134 135 struct xformsw *xformswNXFORMSW = &xformsw[nitems(xformsw)]; 136 137 #define TDB_HASHSIZE_INIT 32 138 139 static struct tdb **tdbh = NULL; 140 static struct tdb **tdbaddr = NULL; 141 static struct tdb **tdbsrc = NULL; 142 static u_int tdb_hashmask = TDB_HASHSIZE_INIT - 1; 143 static int tdb_count; 144 145 /* 146 * Our hashing function needs to stir things with a non-zero random multiplier 147 * so we cannot be DoS-attacked via choosing of the data to hash. 148 */ 149 int 150 tdb_hash(u_int rdomain, u_int32_t spi, union sockaddr_union *dst, 151 u_int8_t proto) 152 { 153 static u_int32_t mult1 = 0, mult2 = 0; 154 u_int8_t *ptr = (u_int8_t *) dst; 155 int i, shift; 156 u_int64_t hash; 157 int val32 = 0; 158 159 while (mult1 == 0) 160 mult1 = arc4random(); 161 while (mult2 == 0) 162 mult2 = arc4random(); 163 164 hash = (spi ^ proto ^ rdomain) * mult1; 165 for (i = 0; i < SA_LEN(&dst->sa); i++) { 166 val32 = (val32 << 8) | ptr[i]; 167 if (i % 4 == 3) { 168 hash ^= val32 * mult2; 169 val32 = 0; 170 } 171 } 172 173 if (i % 4 != 0) 174 hash ^= val32 * mult2; 175 176 shift = ffs(tdb_hashmask + 1); 177 while ((hash & ~tdb_hashmask) != 0) 178 hash = (hash >> shift) ^ (hash & tdb_hashmask); 179 180 return hash; 181 } 182 183 /* 184 * Reserve an SPI; the SA is not valid yet though. We use 0 as 185 * an error return value. 186 */ 187 u_int32_t 188 reserve_spi(u_int rdomain, u_int32_t sspi, u_int32_t tspi, 189 union sockaddr_union *src, union sockaddr_union *dst, 190 u_int8_t sproto, int *errval) 191 { 192 struct tdb *tdbp, *exists; 193 u_int32_t spi; 194 int nums, s; 195 196 /* Don't accept ranges only encompassing reserved SPIs. */ 197 if (sproto != IPPROTO_IPCOMP && 198 (tspi < sspi || tspi <= SPI_RESERVED_MAX)) { 199 (*errval) = EINVAL; 200 return 0; 201 } 202 if (sproto == IPPROTO_IPCOMP && (tspi < sspi || 203 tspi <= CPI_RESERVED_MAX || 204 tspi >= CPI_PRIVATE_MIN)) { 205 (*errval) = EINVAL; 206 return 0; 207 } 208 209 /* Limit the range to not include reserved areas. */ 210 if (sspi <= SPI_RESERVED_MAX) 211 sspi = SPI_RESERVED_MAX + 1; 212 213 /* For IPCOMP the CPI is only 16 bits long, what a good idea.... */ 214 215 if (sproto == IPPROTO_IPCOMP) { 216 u_int32_t t; 217 if (sspi >= 0x10000) 218 sspi = 0xffff; 219 if (tspi >= 0x10000) 220 tspi = 0xffff; 221 if (sspi > tspi) { 222 t = sspi; sspi = tspi; tspi = t; 223 } 224 } 225 226 if (sspi == tspi) /* Asking for a specific SPI. */ 227 nums = 1; 228 else 229 nums = 100; /* Arbitrarily chosen */ 230 231 /* allocate ahead of time to avoid potential sleeping race in loop */ 232 tdbp = tdb_alloc(rdomain); 233 234 while (nums--) { 235 if (sspi == tspi) /* Specific SPI asked. */ 236 spi = tspi; 237 else /* Range specified */ 238 spi = sspi + arc4random_uniform(tspi - sspi); 239 240 /* Don't allocate reserved SPIs. */ 241 if (spi >= SPI_RESERVED_MIN && spi <= SPI_RESERVED_MAX) 242 continue; 243 else 244 spi = htonl(spi); 245 246 /* Check whether we're using this SPI already. */ 247 s = splsoftnet(); 248 exists = gettdb(rdomain, spi, dst, sproto); 249 splx(s); 250 251 if (exists) 252 continue; 253 254 255 tdbp->tdb_spi = spi; 256 bcopy(&dst->sa, &tdbp->tdb_dst.sa, SA_LEN(&dst->sa)); 257 bcopy(&src->sa, &tdbp->tdb_src.sa, SA_LEN(&src->sa)); 258 tdbp->tdb_sproto = sproto; 259 tdbp->tdb_flags |= TDBF_INVALID; /* Mark SA invalid for now. */ 260 tdbp->tdb_satype = SADB_SATYPE_UNSPEC; 261 puttdb(tdbp); 262 263 /* Setup a "silent" expiration (since TDBF_INVALID's set). */ 264 if (ipsec_keep_invalid > 0) { 265 tdbp->tdb_flags |= TDBF_TIMER; 266 tdbp->tdb_exp_timeout = ipsec_keep_invalid; 267 timeout_add_sec(&tdbp->tdb_timer_tmo, 268 ipsec_keep_invalid); 269 } 270 271 return spi; 272 } 273 274 (*errval) = EEXIST; 275 tdb_free(tdbp); 276 return 0; 277 } 278 279 /* 280 * An IPSP SAID is really the concatenation of the SPI found in the 281 * packet, the destination address of the packet and the IPsec protocol. 282 * When we receive an IPSP packet, we need to look up its tunnel descriptor 283 * block, based on the SPI in the packet and the destination address (which 284 * is really one of our addresses if we received the packet! 285 * 286 * Caller is responsible for setting at least splsoftnet(). 287 */ 288 struct tdb * 289 gettdb(u_int rdomain, u_int32_t spi, union sockaddr_union *dst, u_int8_t proto) 290 { 291 u_int32_t hashval; 292 struct tdb *tdbp; 293 294 if (tdbh == NULL) 295 return (struct tdb *) NULL; 296 297 hashval = tdb_hash(rdomain, spi, dst, proto); 298 299 for (tdbp = tdbh[hashval]; tdbp != NULL; tdbp = tdbp->tdb_hnext) 300 if ((tdbp->tdb_spi == spi) && (tdbp->tdb_sproto == proto) && 301 (tdbp->tdb_rdomain == rdomain) && 302 !memcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa))) 303 break; 304 305 return tdbp; 306 } 307 308 /* 309 * Same as gettdb() but compare SRC as well, so we 310 * use the tdbsrc[] hash table. Setting spi to 0 311 * matches all SPIs. 312 */ 313 struct tdb * 314 gettdbbysrcdst(u_int rdomain, u_int32_t spi, union sockaddr_union *src, 315 union sockaddr_union *dst, u_int8_t proto) 316 { 317 u_int32_t hashval; 318 struct tdb *tdbp; 319 union sockaddr_union su_null; 320 321 if (tdbsrc == NULL) 322 return (struct tdb *) NULL; 323 324 hashval = tdb_hash(rdomain, 0, src, proto); 325 326 for (tdbp = tdbsrc[hashval]; tdbp != NULL; tdbp = tdbp->tdb_snext) 327 if (tdbp->tdb_sproto == proto && 328 (spi == 0 || tdbp->tdb_spi == spi) && 329 (tdbp->tdb_rdomain == rdomain) && 330 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 331 (tdbp->tdb_dst.sa.sa_family == AF_UNSPEC || 332 !memcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa))) && 333 !memcmp(&tdbp->tdb_src, src, SA_LEN(&src->sa))) 334 break; 335 336 if (tdbp != NULL) 337 return (tdbp); 338 339 memset(&su_null, 0, sizeof(su_null)); 340 su_null.sa.sa_len = sizeof(struct sockaddr); 341 hashval = tdb_hash(rdomain, 0, &su_null, proto); 342 343 for (tdbp = tdbsrc[hashval]; tdbp != NULL; tdbp = tdbp->tdb_snext) 344 if (tdbp->tdb_sproto == proto && 345 (spi == 0 || tdbp->tdb_spi == spi) && 346 (tdbp->tdb_rdomain == rdomain) && 347 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 348 (tdbp->tdb_dst.sa.sa_family == AF_UNSPEC || 349 !memcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa))) && 350 tdbp->tdb_src.sa.sa_family == AF_UNSPEC) 351 break; 352 353 return (tdbp); 354 } 355 356 /* 357 * Check that credentials and IDs match. Return true if so. The t* 358 * range of arguments contains information from TDBs; the p* 359 * range of arguments contains information from policies or 360 * already established TDBs. 361 */ 362 int 363 ipsp_aux_match(struct tdb *tdb, 364 struct ipsec_ref *psrcid, 365 struct ipsec_ref *pdstid, 366 struct ipsec_ref *plcred, 367 struct ipsec_ref *prcred, 368 struct sockaddr_encap *pfilter, 369 struct sockaddr_encap *pfiltermask) 370 { 371 if (psrcid != NULL) 372 if (tdb->tdb_srcid == NULL || 373 !ipsp_ref_match(tdb->tdb_srcid, psrcid)) 374 return 0; 375 376 if (pdstid != NULL) 377 if (tdb->tdb_dstid == NULL || 378 !ipsp_ref_match(tdb->tdb_dstid, pdstid)) 379 return 0; 380 381 if (plcred != NULL) 382 if (tdb->tdb_local_cred == NULL || 383 !ipsp_ref_match(tdb->tdb_local_cred, plcred)) 384 return 0; 385 386 if (prcred != NULL) 387 if (tdb->tdb_remote_cred == NULL || 388 !ipsp_ref_match(tdb->tdb_remote_cred, prcred)) 389 return 0; 390 391 /* Check for filter matches. */ 392 if (tdb->tdb_filter.sen_type) { 393 /* 394 * XXX We should really be doing a subnet-check (see 395 * whether the TDB-associated filter is a subset 396 * of the policy's. For now, an exact match will solve 397 * most problems (all this will do is make every 398 * policy get its own SAs). 399 */ 400 if (memcmp(&tdb->tdb_filter, pfilter, 401 sizeof(struct sockaddr_encap)) || 402 memcmp(&tdb->tdb_filtermask, pfiltermask, 403 sizeof(struct sockaddr_encap))) 404 return 0; 405 } 406 407 return 1; 408 } 409 410 /* 411 * Get an SA given the remote address, the security protocol type, and 412 * the desired IDs. 413 */ 414 struct tdb * 415 gettdbbyaddr(u_int rdomain, union sockaddr_union *dst, u_int8_t sproto, 416 struct ipsec_ref *srcid, struct ipsec_ref *dstid, 417 struct ipsec_ref *local_cred, struct mbuf *m, int af, 418 struct sockaddr_encap *filter, struct sockaddr_encap *filtermask) 419 { 420 u_int32_t hashval; 421 struct tdb *tdbp; 422 423 if (tdbaddr == NULL) 424 return (struct tdb *) NULL; 425 426 hashval = tdb_hash(rdomain, 0, dst, sproto); 427 428 for (tdbp = tdbaddr[hashval]; tdbp != NULL; tdbp = tdbp->tdb_anext) 429 if ((tdbp->tdb_sproto == sproto) && 430 (tdbp->tdb_rdomain == rdomain) && 431 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 432 (!memcmp(&tdbp->tdb_dst, dst, SA_LEN(&dst->sa)))) { 433 /* Do IDs and local credentials match ? */ 434 if (!ipsp_aux_match(tdbp, srcid, dstid, 435 local_cred, NULL, filter, filtermask)) 436 continue; 437 break; 438 } 439 440 return tdbp; 441 } 442 443 /* 444 * Get an SA given the source address, the security protocol type, and 445 * the desired IDs. 446 */ 447 struct tdb * 448 gettdbbysrc(u_int rdomain, union sockaddr_union *src, u_int8_t sproto, 449 struct ipsec_ref *srcid, struct ipsec_ref *dstid, 450 struct mbuf *m, int af, struct sockaddr_encap *filter, 451 struct sockaddr_encap *filtermask) 452 { 453 u_int32_t hashval; 454 struct tdb *tdbp; 455 456 if (tdbsrc == NULL) 457 return (struct tdb *) NULL; 458 459 hashval = tdb_hash(rdomain, 0, src, sproto); 460 461 for (tdbp = tdbsrc[hashval]; tdbp != NULL; tdbp = tdbp->tdb_snext) 462 if ((tdbp->tdb_sproto == sproto) && 463 (tdbp->tdb_rdomain == rdomain) && 464 ((tdbp->tdb_flags & TDBF_INVALID) == 0) && 465 (!memcmp(&tdbp->tdb_src, src, SA_LEN(&src->sa)))) { 466 /* Check whether IDs match */ 467 if (!ipsp_aux_match(tdbp, dstid, srcid, NULL, NULL, 468 filter, filtermask)) 469 continue; 470 break; 471 } 472 473 return tdbp; 474 } 475 476 #if DDB 477 478 #define NBUCKETS 16 479 void 480 tdb_hashstats(void) 481 { 482 int i, cnt, buckets[NBUCKETS]; 483 struct tdb *tdbp; 484 485 if (tdbh == NULL) { 486 db_printf("no tdb hash table\n"); 487 return; 488 } 489 490 memset(buckets, 0, sizeof(buckets)); 491 for (i = 0; i <= tdb_hashmask; i++) { 492 cnt = 0; 493 for (tdbp = tdbh[i]; cnt < NBUCKETS - 1 && tdbp != NULL; 494 tdbp = tdbp->tdb_hnext) 495 cnt++; 496 buckets[cnt]++; 497 } 498 499 db_printf("tdb cnt\t\tbucket cnt\n"); 500 for (i = 0; i < NBUCKETS; i++) 501 if (buckets[i] > 0) 502 db_printf("%d%s\t\t%d\n", i, i == NBUCKETS - 1 ? 503 "+" : "", buckets[i]); 504 } 505 #endif /* DDB */ 506 507 /* 508 * Caller is responsible for setting at least splsoftnet(). 509 */ 510 int 511 tdb_walk(u_int rdomain, int (*walker)(struct tdb *, void *, int), void *arg) 512 { 513 int i, rval = 0; 514 struct tdb *tdbp, *next; 515 516 if (tdbh == NULL) 517 return ENOENT; 518 519 for (i = 0; i <= tdb_hashmask; i++) 520 for (tdbp = tdbh[i]; rval == 0 && tdbp != NULL; tdbp = next) { 521 next = tdbp->tdb_hnext; 522 523 if (rdomain != tdbp->tdb_rdomain) 524 continue; 525 526 if (i == tdb_hashmask && next == NULL) 527 rval = walker(tdbp, (void *)arg, 1); 528 else 529 rval = walker(tdbp, (void *)arg, 0); 530 } 531 532 return rval; 533 } 534 535 /* 536 * Called at splsoftclock(). 537 */ 538 void 539 tdb_timeout(void *v) 540 { 541 struct tdb *tdb = v; 542 543 if (!(tdb->tdb_flags & TDBF_TIMER)) 544 return; 545 546 /* If it's an "invalid" TDB do a silent expiration. */ 547 if (!(tdb->tdb_flags & TDBF_INVALID)) 548 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 549 tdb_delete(tdb); 550 } 551 552 void 553 tdb_firstuse(void *v) 554 { 555 struct tdb *tdb = v; 556 557 if (!(tdb->tdb_flags & TDBF_SOFT_FIRSTUSE)) 558 return; 559 560 /* If the TDB hasn't been used, don't renew it. */ 561 if (tdb->tdb_first_use != 0) 562 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); 563 tdb_delete(tdb); 564 } 565 566 void 567 tdb_soft_timeout(void *v) 568 { 569 struct tdb *tdb = v; 570 571 if (!(tdb->tdb_flags & TDBF_SOFT_TIMER)) 572 return; 573 574 /* Soft expirations. */ 575 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 576 tdb->tdb_flags &= ~TDBF_SOFT_TIMER; 577 } 578 579 void 580 tdb_soft_firstuse(void *v) 581 { 582 struct tdb *tdb = v; 583 584 if (!(tdb->tdb_flags & TDBF_SOFT_FIRSTUSE)) 585 return; 586 587 /* If the TDB hasn't been used, don't renew it. */ 588 if (tdb->tdb_first_use != 0) 589 pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_SOFT); 590 tdb->tdb_flags &= ~TDBF_SOFT_FIRSTUSE; 591 } 592 593 /* 594 * Caller is responsible for splsoftnet(). 595 */ 596 void 597 tdb_rehash(void) 598 { 599 struct tdb **new_tdbh, **new_tdbaddr, **new_srcaddr, *tdbp, *tdbnp; 600 u_int i, old_hashmask = tdb_hashmask; 601 u_int32_t hashval; 602 603 tdb_hashmask = (tdb_hashmask << 1) | 1; 604 605 new_tdbh = malloc(sizeof(struct tdb *) * (tdb_hashmask + 1), M_TDB, 606 M_WAITOK | M_ZERO); 607 new_tdbaddr = malloc(sizeof(struct tdb *) * (tdb_hashmask + 1), M_TDB, 608 M_WAITOK | M_ZERO); 609 new_srcaddr = malloc(sizeof(struct tdb *) * (tdb_hashmask + 1), M_TDB, 610 M_WAITOK | M_ZERO); 611 612 for (i = 0; i <= old_hashmask; i++) { 613 for (tdbp = tdbh[i]; tdbp != NULL; tdbp = tdbnp) { 614 tdbnp = tdbp->tdb_hnext; 615 hashval = tdb_hash(tdbp->tdb_rdomain, 616 tdbp->tdb_spi, &tdbp->tdb_dst, 617 tdbp->tdb_sproto); 618 tdbp->tdb_hnext = new_tdbh[hashval]; 619 new_tdbh[hashval] = tdbp; 620 } 621 622 for (tdbp = tdbaddr[i]; tdbp != NULL; tdbp = tdbnp) { 623 tdbnp = tdbp->tdb_anext; 624 hashval = tdb_hash(tdbp->tdb_rdomain, 625 0, &tdbp->tdb_dst, 626 tdbp->tdb_sproto); 627 tdbp->tdb_anext = new_tdbaddr[hashval]; 628 new_tdbaddr[hashval] = tdbp; 629 } 630 631 for (tdbp = tdbsrc[i]; tdbp != NULL; tdbp = tdbnp) { 632 tdbnp = tdbp->tdb_snext; 633 hashval = tdb_hash(tdbp->tdb_rdomain, 634 0, &tdbp->tdb_src, 635 tdbp->tdb_sproto); 636 tdbp->tdb_snext = new_srcaddr[hashval]; 637 new_srcaddr[hashval] = tdbp; 638 } 639 } 640 641 free(tdbh, M_TDB); 642 tdbh = new_tdbh; 643 644 free(tdbaddr, M_TDB); 645 tdbaddr = new_tdbaddr; 646 647 free(tdbsrc, M_TDB); 648 tdbsrc = new_srcaddr; 649 } 650 651 /* 652 * Add TDB in the hash table. 653 */ 654 void 655 puttdb(struct tdb *tdbp) 656 { 657 u_int32_t hashval; 658 int s = splsoftnet(); 659 660 if (tdbh == NULL) { 661 tdbh = malloc(sizeof(struct tdb *) * (tdb_hashmask + 1), M_TDB, 662 M_WAITOK | M_ZERO); 663 tdbaddr = malloc(sizeof(struct tdb *) * (tdb_hashmask + 1), 664 M_TDB, M_WAITOK | M_ZERO); 665 tdbsrc = malloc(sizeof(struct tdb *) * (tdb_hashmask + 1), 666 M_TDB, M_WAITOK | M_ZERO); 667 } 668 669 hashval = tdb_hash(tdbp->tdb_rdomain, tdbp->tdb_spi, 670 &tdbp->tdb_dst, tdbp->tdb_sproto); 671 672 /* 673 * Rehash if this tdb would cause a bucket to have more than 674 * two items and if the number of tdbs exceed 10% of the 675 * bucket count. This number is arbitratily chosen and is 676 * just a measure to not keep rehashing when adding and 677 * removing tdbs which happens to always end up in the same 678 * bucket, which is not uncommon when doing manual keying. 679 */ 680 if (tdbh[hashval] != NULL && tdbh[hashval]->tdb_hnext != NULL && 681 tdb_count * 10 > tdb_hashmask + 1) { 682 tdb_rehash(); 683 hashval = tdb_hash(tdbp->tdb_rdomain, tdbp->tdb_spi, 684 &tdbp->tdb_dst, tdbp->tdb_sproto); 685 } 686 687 tdbp->tdb_hnext = tdbh[hashval]; 688 tdbh[hashval] = tdbp; 689 690 hashval = tdb_hash(tdbp->tdb_rdomain, 0, &tdbp->tdb_dst, 691 tdbp->tdb_sproto); 692 tdbp->tdb_anext = tdbaddr[hashval]; 693 tdbaddr[hashval] = tdbp; 694 695 hashval = tdb_hash(tdbp->tdb_rdomain, 0, &tdbp->tdb_src, 696 tdbp->tdb_sproto); 697 tdbp->tdb_snext = tdbsrc[hashval]; 698 tdbsrc[hashval] = tdbp; 699 700 tdb_count++; 701 702 ipsec_last_added = time_second; 703 704 splx(s); 705 } 706 707 /* 708 * Caller is responsible to set at least splsoftnet(). 709 */ 710 void 711 tdb_delete(struct tdb *tdbp) 712 { 713 struct tdb *tdbpp; 714 u_int32_t hashval; 715 int s; 716 717 if (tdbh == NULL) 718 return; 719 720 hashval = tdb_hash(tdbp->tdb_rdomain, tdbp->tdb_spi, 721 &tdbp->tdb_dst, tdbp->tdb_sproto); 722 723 s = splsoftnet(); 724 if (tdbh[hashval] == tdbp) { 725 tdbh[hashval] = tdbp->tdb_hnext; 726 } else { 727 for (tdbpp = tdbh[hashval]; tdbpp != NULL; 728 tdbpp = tdbpp->tdb_hnext) { 729 if (tdbpp->tdb_hnext == tdbp) { 730 tdbpp->tdb_hnext = tdbp->tdb_hnext; 731 break; 732 } 733 } 734 } 735 736 tdbp->tdb_hnext = NULL; 737 738 hashval = tdb_hash(tdbp->tdb_rdomain, 0, &tdbp->tdb_dst, 739 tdbp->tdb_sproto); 740 741 if (tdbaddr[hashval] == tdbp) { 742 tdbaddr[hashval] = tdbp->tdb_anext; 743 } else { 744 for (tdbpp = tdbaddr[hashval]; tdbpp != NULL; 745 tdbpp = tdbpp->tdb_anext) { 746 if (tdbpp->tdb_anext == tdbp) { 747 tdbpp->tdb_anext = tdbp->tdb_anext; 748 break; 749 } 750 } 751 } 752 753 hashval = tdb_hash(tdbp->tdb_rdomain, 0, &tdbp->tdb_src, 754 tdbp->tdb_sproto); 755 756 if (tdbsrc[hashval] == tdbp) { 757 tdbsrc[hashval] = tdbp->tdb_snext; 758 } 759 else { 760 for (tdbpp = tdbsrc[hashval]; tdbpp != NULL; 761 tdbpp = tdbpp->tdb_snext) { 762 if (tdbpp->tdb_snext == tdbp) { 763 tdbpp->tdb_snext = tdbp->tdb_snext; 764 break; 765 } 766 } 767 } 768 769 tdbp->tdb_snext = NULL; 770 tdb_free(tdbp); 771 tdb_count--; 772 773 splx(s); 774 } 775 776 /* 777 * Allocate a TDB and initialize a few basic fields. 778 */ 779 struct tdb * 780 tdb_alloc(u_int rdomain) 781 { 782 struct tdb *tdbp; 783 784 tdbp = malloc(sizeof(*tdbp), M_TDB, M_WAITOK | M_ZERO); 785 786 /* Init Incoming SA-Binding Queues. */ 787 TAILQ_INIT(&tdbp->tdb_inp_out); 788 TAILQ_INIT(&tdbp->tdb_inp_in); 789 790 TAILQ_INIT(&tdbp->tdb_policy_head); 791 792 /* Record establishment time. */ 793 tdbp->tdb_established = time_second; 794 795 /* Save routing domain */ 796 tdbp->tdb_rdomain = rdomain; 797 798 /* Initialize timeouts. */ 799 timeout_set(&tdbp->tdb_timer_tmo, tdb_timeout, tdbp); 800 timeout_set(&tdbp->tdb_first_tmo, tdb_firstuse, tdbp); 801 timeout_set(&tdbp->tdb_stimer_tmo, tdb_soft_timeout, tdbp); 802 timeout_set(&tdbp->tdb_sfirst_tmo, tdb_soft_firstuse, tdbp); 803 804 return tdbp; 805 } 806 807 void 808 tdb_free(struct tdb *tdbp) 809 { 810 struct ipsec_policy *ipo; 811 struct inpcb *inp; 812 813 if (tdbp->tdb_xform) { 814 (*(tdbp->tdb_xform->xf_zeroize))(tdbp); 815 tdbp->tdb_xform = NULL; 816 } 817 818 #if NPFSYNC > 0 819 /* Cleanup pfsync references */ 820 pfsync_delete_tdb(tdbp); 821 #endif 822 823 /* Cleanup inp references. */ 824 for (inp = TAILQ_FIRST(&tdbp->tdb_inp_in); inp; 825 inp = TAILQ_FIRST(&tdbp->tdb_inp_in)) { 826 TAILQ_REMOVE(&tdbp->tdb_inp_in, inp, inp_tdb_in_next); 827 inp->inp_tdb_in = NULL; 828 } 829 830 for (inp = TAILQ_FIRST(&tdbp->tdb_inp_out); inp; 831 inp = TAILQ_FIRST(&tdbp->tdb_inp_out)) { 832 TAILQ_REMOVE(&tdbp->tdb_inp_out, inp, inp_tdb_out_next); 833 inp->inp_tdb_out = NULL; 834 } 835 836 /* Cleanup SPD references. */ 837 for (ipo = TAILQ_FIRST(&tdbp->tdb_policy_head); ipo; 838 ipo = TAILQ_FIRST(&tdbp->tdb_policy_head)) { 839 TAILQ_REMOVE(&tdbp->tdb_policy_head, ipo, ipo_tdb_next); 840 ipo->ipo_tdb = NULL; 841 ipo->ipo_last_searched = 0; /* Force a re-search. */ 842 } 843 844 /* Remove expiration timeouts. */ 845 tdbp->tdb_flags &= ~(TDBF_FIRSTUSE | TDBF_SOFT_FIRSTUSE | TDBF_TIMER | 846 TDBF_SOFT_TIMER); 847 timeout_del(&tdbp->tdb_timer_tmo); 848 timeout_del(&tdbp->tdb_first_tmo); 849 timeout_del(&tdbp->tdb_stimer_tmo); 850 timeout_del(&tdbp->tdb_sfirst_tmo); 851 852 if (tdbp->tdb_local_auth) { 853 ipsp_reffree(tdbp->tdb_local_auth); 854 tdbp->tdb_local_auth = NULL; 855 } 856 857 if (tdbp->tdb_remote_auth) { 858 ipsp_reffree(tdbp->tdb_remote_auth); 859 tdbp->tdb_remote_auth = NULL; 860 } 861 862 if (tdbp->tdb_srcid) { 863 ipsp_reffree(tdbp->tdb_srcid); 864 tdbp->tdb_srcid = NULL; 865 } 866 867 if (tdbp->tdb_dstid) { 868 ipsp_reffree(tdbp->tdb_dstid); 869 tdbp->tdb_dstid = NULL; 870 } 871 872 if (tdbp->tdb_local_cred) { 873 ipsp_reffree(tdbp->tdb_local_cred); 874 tdbp->tdb_local_cred = NULL; 875 } 876 877 if (tdbp->tdb_remote_cred) { 878 ipsp_reffree(tdbp->tdb_remote_cred); 879 tdbp->tdb_remote_cred = NULL; 880 } 881 882 #if NPF > 0 883 if (tdbp->tdb_tag) { 884 pf_tag_unref(tdbp->tdb_tag); 885 tdbp->tdb_tag = 0; 886 } 887 #endif 888 889 if ((tdbp->tdb_onext) && (tdbp->tdb_onext->tdb_inext == tdbp)) 890 tdbp->tdb_onext->tdb_inext = NULL; 891 892 if ((tdbp->tdb_inext) && (tdbp->tdb_inext->tdb_onext == tdbp)) 893 tdbp->tdb_inext->tdb_onext = NULL; 894 895 free(tdbp, M_TDB); 896 } 897 898 /* 899 * Do further initializations of a TDB. 900 */ 901 int 902 tdb_init(struct tdb *tdbp, u_int16_t alg, struct ipsecinit *ii) 903 { 904 struct xformsw *xsp; 905 int err; 906 907 for (xsp = xformsw; xsp < xformswNXFORMSW; xsp++) { 908 if (xsp->xf_type == alg) { 909 err = (*(xsp->xf_init))(tdbp, xsp, ii); 910 return err; 911 } 912 } 913 914 DPRINTF(("tdb_init(): no alg %d for spi %08x, addr %s, proto %d\n", 915 alg, ntohl(tdbp->tdb_spi), ipsp_address(tdbp->tdb_dst), 916 tdbp->tdb_sproto)); 917 918 return EINVAL; 919 } 920 921 /* 922 * Check which transformations are required. 923 */ 924 u_int8_t 925 get_sa_require(struct inpcb *inp) 926 { 927 u_int8_t sareq = 0; 928 929 if (inp != NULL) { 930 sareq |= inp->inp_seclevel[SL_AUTH] >= IPSEC_LEVEL_USE ? 931 NOTIFY_SATYPE_AUTH : 0; 932 sareq |= inp->inp_seclevel[SL_ESP_TRANS] >= IPSEC_LEVEL_USE ? 933 NOTIFY_SATYPE_CONF : 0; 934 sareq |= inp->inp_seclevel[SL_ESP_NETWORK] >= IPSEC_LEVEL_USE ? 935 NOTIFY_SATYPE_TUNNEL : 0; 936 } else { 937 /* 938 * Code left for documentation purposes, these 939 * conditions are always evaluated to false. 940 */ 941 sareq |= IPSEC_AUTH_LEVEL_DEFAULT >= IPSEC_LEVEL_USE ? 942 NOTIFY_SATYPE_AUTH : 0; 943 sareq |= IPSEC_ESP_TRANS_LEVEL_DEFAULT >= IPSEC_LEVEL_USE ? 944 NOTIFY_SATYPE_CONF : 0; 945 sareq |= IPSEC_ESP_NETWORK_LEVEL_DEFAULT >= IPSEC_LEVEL_USE ? 946 NOTIFY_SATYPE_TUNNEL : 0; 947 } 948 949 return (sareq); 950 } 951 952 /* 953 * Add an inpcb to the list of inpcb which reference this tdb directly. 954 */ 955 void 956 tdb_add_inp(struct tdb *tdb, struct inpcb *inp, int inout) 957 { 958 if (inout) { 959 if (inp->inp_tdb_in) { 960 if (inp->inp_tdb_in == tdb) 961 return; 962 963 TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in, inp, 964 inp_tdb_in_next); 965 } 966 967 inp->inp_tdb_in = tdb; 968 TAILQ_INSERT_TAIL(&tdb->tdb_inp_in, inp, inp_tdb_in_next); 969 } else { 970 if (inp->inp_tdb_out) { 971 if (inp->inp_tdb_out == tdb) 972 return; 973 974 TAILQ_REMOVE(&inp->inp_tdb_out->tdb_inp_out, inp, 975 inp_tdb_out_next); 976 } 977 978 inp->inp_tdb_out = tdb; 979 TAILQ_INSERT_TAIL(&tdb->tdb_inp_out, inp, inp_tdb_out_next); 980 } 981 } 982 983 #ifdef ENCDEBUG 984 /* Return a printable string for the address. */ 985 const char * 986 ipsp_address(union sockaddr_union sa) 987 { 988 static char ipspbuf[4][INET6_ADDRSTRLEN]; 989 static int ipspround = 0; 990 char *buf; 991 992 ipspround = (ipspround + 1) % 4; 993 buf = ipspbuf[ipspround]; 994 995 switch (sa.sa.sa_family) { 996 #ifdef INET 997 case AF_INET: 998 return inet_ntop(AF_INET, &sa.sin.sin_addr, 999 buf, INET_ADDRSTRLEN); 1000 #endif /* INET */ 1001 1002 #ifdef INET6 1003 case AF_INET6: 1004 return inet_ntop(AF_INET6, &sa.sin6.sin6_addr, 1005 buf, INET6_ADDRSTRLEN); 1006 #endif /* INET6 */ 1007 1008 default: 1009 return "(unknown address family)"; 1010 } 1011 } 1012 #endif /* ENCDEBUG */ 1013 1014 /* Check whether an IP{4,6} address is unspecified. */ 1015 int 1016 ipsp_is_unspecified(union sockaddr_union addr) 1017 { 1018 switch (addr.sa.sa_family) { 1019 #ifdef INET 1020 case AF_INET: 1021 if (addr.sin.sin_addr.s_addr == INADDR_ANY) 1022 return 1; 1023 else 1024 return 0; 1025 #endif /* INET */ 1026 1027 #ifdef INET6 1028 case AF_INET6: 1029 if (IN6_IS_ADDR_UNSPECIFIED(&addr.sin6.sin6_addr)) 1030 return 1; 1031 else 1032 return 0; 1033 #endif /* INET6 */ 1034 1035 case 0: /* No family set. */ 1036 default: 1037 return 1; 1038 } 1039 } 1040 1041 /* Free reference-counted structure. */ 1042 void 1043 ipsp_reffree(struct ipsec_ref *ipr) 1044 { 1045 #ifdef DIAGNOSTIC 1046 if (ipr->ref_count <= 0) 1047 printf("ipsp_reffree: illegal reference count %d for " 1048 "object %p (len = %d, malloctype = %d)\n", 1049 ipr->ref_count, ipr, ipr->ref_len, ipr->ref_malloctype); 1050 #endif 1051 if (--ipr->ref_count <= 0) 1052 free(ipr, ipr->ref_malloctype); 1053 } 1054 1055 /* Mark a TDB as TDBF_SKIPCRYPTO. */ 1056 void 1057 ipsp_skipcrypto_mark(struct tdb_ident *tdbi) 1058 { 1059 struct tdb *tdb; 1060 int s = splsoftnet(); 1061 1062 tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, tdbi->proto); 1063 if (tdb != NULL) { 1064 tdb->tdb_flags |= TDBF_SKIPCRYPTO; 1065 tdb->tdb_last_marked = time_second; 1066 } 1067 splx(s); 1068 } 1069 1070 /* Unmark a TDB as TDBF_SKIPCRYPTO. */ 1071 void 1072 ipsp_skipcrypto_unmark(struct tdb_ident *tdbi) 1073 { 1074 struct tdb *tdb; 1075 int s = splsoftnet(); 1076 1077 tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, tdbi->proto); 1078 if (tdb != NULL) { 1079 tdb->tdb_flags &= ~TDBF_SKIPCRYPTO; 1080 tdb->tdb_last_marked = time_second; 1081 } 1082 splx(s); 1083 } 1084 1085 /* Return true if the two structures match. */ 1086 int 1087 ipsp_ref_match(struct ipsec_ref *ref1, struct ipsec_ref *ref2) 1088 { 1089 if (ref1->ref_type != ref2->ref_type || 1090 ref1->ref_len != ref2->ref_len || 1091 memcmp(ref1 + 1, ref2 + 1, ref1->ref_len)) 1092 return 0; 1093 1094 return 1; 1095 } 1096 1097 #ifdef notyet 1098 /* 1099 * Go down a chain of IPv4/IPv6/ESP/AH/IPiP chains creating an tag for each 1100 * IPsec header encountered. The offset where the first header, as well 1101 * as its type are given to us. 1102 */ 1103 struct m_tag * 1104 ipsp_parse_headers(struct mbuf *m, int off, u_int8_t proto) 1105 { 1106 int ipv4sa = 0, s, esphlen = 0, trail = 0, i; 1107 SLIST_HEAD(packet_tags, m_tag) tags; 1108 unsigned char lasteight[8]; 1109 struct tdb_ident *tdbi; 1110 struct m_tag *mtag; 1111 struct tdb *tdb; 1112 1113 #ifdef INET 1114 struct ip iph; 1115 #endif /* INET */ 1116 1117 #ifdef INET6 1118 struct in6_addr ip6_dst; 1119 #endif /* INET6 */ 1120 1121 /* We have to start with a known network protocol. */ 1122 if (proto != IPPROTO_IPV4 && proto != IPPROTO_IPV6) 1123 return NULL; 1124 1125 SLIST_INIT(&tags); 1126 1127 while (1) { 1128 switch (proto) { 1129 #ifdef INET 1130 case IPPROTO_IPV4: /* Also IPPROTO_IPIP */ 1131 { 1132 /* 1133 * Save the IP header (we need both the 1134 * address and ip_hl). 1135 */ 1136 m_copydata(m, off, sizeof(struct ip), (caddr_t) &iph); 1137 ipv4sa = 1; 1138 proto = iph.ip_p; 1139 off += iph.ip_hl << 2; 1140 break; 1141 } 1142 #endif /* INET */ 1143 1144 #ifdef INET6 1145 case IPPROTO_IPV6: 1146 { 1147 int nxtp, l; 1148 1149 /* Copy the IPv6 address. */ 1150 m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst), 1151 sizeof(struct ip6_hdr), (caddr_t) &ip6_dst); 1152 ipv4sa = 0; 1153 1154 /* 1155 * Go down the chain of headers until we encounter a 1156 * non-option. 1157 */ 1158 for (l = ip6_nexthdr(m, off, proto, &nxtp); l != -1; 1159 l = ip6_nexthdr(m, off, proto, &nxtp)) { 1160 off += l; 1161 proto = nxtp; 1162 1163 /* Construct a tag. */ 1164 if (nxtp == IPPROTO_AH) { 1165 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_CRYPTO_DONE, 1166 sizeof(struct tdb_ident), 1167 M_NOWAIT); 1168 1169 if (mtag == NULL) 1170 return SLIST_FIRST(&tags); 1171 1172 tdbi = (struct tdb_ident *) (mtag + 1); 1173 memset(tdbi, 0, sizeof(struct tdb_ident)); 1174 1175 m_copydata(m, off + sizeof(u_int32_t), 1176 sizeof(u_int32_t), 1177 (caddr_t) &tdbi->spi); 1178 1179 tdbi->proto = IPPROTO_AH; 1180 tdbi->dst.sin6.sin6_family = AF_INET6; 1181 tdbi->dst.sin6.sin6_len = 1182 sizeof(struct sockaddr_in6); 1183 tdbi->dst.sin6.sin6_addr = ip6_dst; 1184 tdbi->rdomain = 1185 rtable_l2(m->m_pkthdr.rdomain); 1186 SLIST_INSERT_HEAD(&tags, 1187 mtag, m_tag_link); 1188 } 1189 else 1190 if (nxtp == IPPROTO_IPV6) 1191 m_copydata(m, off + 1192 offsetof(struct ip6_hdr, 1193 ip6_dst), 1194 sizeof(struct ip6_hdr), 1195 (caddr_t) &ip6_dst); 1196 } 1197 break; 1198 } 1199 #endif /* INET6 */ 1200 1201 case IPPROTO_ESP: 1202 /* Verify that this has been decrypted. */ 1203 { 1204 union sockaddr_union su; 1205 u_int32_t spi; 1206 1207 m_copydata(m, off, sizeof(u_int32_t), (caddr_t) &spi); 1208 memset(&su, 0, sizeof(union sockaddr_union)); 1209 1210 s = splsoftnet(); 1211 1212 #ifdef INET 1213 if (ipv4sa) { 1214 su.sin.sin_family = AF_INET; 1215 su.sin.sin_len = sizeof(struct sockaddr_in); 1216 su.sin.sin_addr = iph.ip_dst; 1217 } 1218 #endif /* INET */ 1219 1220 #ifdef INET6 1221 if (!ipv4sa) { 1222 su.sin6.sin6_family = AF_INET6; 1223 su.sin6.sin6_len = sizeof(struct sockaddr_in6); 1224 su.sin6.sin6_addr = ip6_dst; 1225 } 1226 #endif /* INET6 */ 1227 1228 tdb = gettdb(spi, &su, IPPROTO_ESP); 1229 if (tdb == NULL) { 1230 splx(s); 1231 return SLIST_FIRST(&tags); 1232 } 1233 1234 /* How large is the ESP header ? We use this later. */ 1235 esphlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; 1236 1237 /* Update the length of trailing ESP authenticators. */ 1238 if (tdb->tdb_authalgxform) 1239 trail += tdb->tdb_authalgxform->authsize; 1240 1241 splx(s); 1242 1243 /* Copy the last 10 bytes. */ 1244 m_copydata(m, m->m_pkthdr.len - trail - 8, 8, 1245 lasteight); 1246 1247 /* Verify the self-describing padding values. */ 1248 if (lasteight[6] != 0) { 1249 if (lasteight[6] != lasteight[5]) 1250 return SLIST_FIRST(&tags); 1251 1252 for (i = 4; lasteight[i + 1] != 1 && i >= 0; 1253 i--) 1254 if (lasteight[i + 1] != 1255 lasteight[i] + 1) 1256 return SLIST_FIRST(&tags); 1257 } 1258 } 1259 /* FALLTHROUGH */ 1260 case IPPROTO_AH: 1261 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_CRYPTO_DONE, 1262 sizeof(struct tdb_ident), M_NOWAIT); 1263 if (mtag == NULL) 1264 return SLIST_FIRST(&tags); 1265 1266 tdbi = (struct tdb_ident *) (mtag + 1); 1267 memset(tdbi, 0, sizeof(struct tdb_ident)); 1268 1269 /* Get SPI off the relevant header. */ 1270 if (proto == IPPROTO_AH) 1271 m_copydata(m, off + sizeof(u_int32_t), 1272 sizeof(u_int32_t), (caddr_t) &tdbi->spi); 1273 else /* IPPROTO_ESP */ 1274 m_copydata(m, off, sizeof(u_int32_t), 1275 (caddr_t) &tdbi->spi); 1276 1277 tdbi->proto = proto; /* AH or ESP */ 1278 tdbi->rdomain = rtable_l2(m->m_pkthdr.rdomain); 1279 1280 #ifdef INET 1281 /* Last network header was IPv4. */ 1282 if (ipv4sa) { 1283 tdbi->dst.sin.sin_family = AF_INET; 1284 tdbi->dst.sin.sin_len = 1285 sizeof(struct sockaddr_in); 1286 tdbi->dst.sin.sin_addr = iph.ip_dst; 1287 } 1288 #endif /* INET */ 1289 1290 #ifdef INET6 1291 /* Last network header was IPv6. */ 1292 if (!ipv4sa) { 1293 tdbi->dst.sin6.sin6_family = AF_INET6; 1294 tdbi->dst.sin6.sin6_len = 1295 sizeof(struct sockaddr_in6); 1296 tdbi->dst.sin6.sin6_addr = ip6_dst; 1297 } 1298 #endif /* INET6 */ 1299 1300 SLIST_INSERT_HEAD(&tags, mtag, m_tag_link); 1301 1302 /* Update next protocol/header and header offset. */ 1303 if (proto == IPPROTO_AH) { 1304 u_int8_t foo[2]; 1305 1306 m_copydata(m, off, 2 * sizeof(u_int8_t), foo); 1307 proto = foo[0]; 1308 off += (foo[1] + 2) << 2; 1309 } else {/* IPPROTO_ESP */ 1310 /* Initialized in IPPROTO_ESP case. */ 1311 off += esphlen; 1312 proto = lasteight[7]; 1313 } 1314 break; 1315 1316 default: 1317 return SLIST_FIRST(&tags); /* We're done. */ 1318 } 1319 } 1320 } 1321 #endif /* notyet */ 1322