ipsec.c source code [xnu/bsd/netinet6/ipsec.c]

1	/*
2	* Copyright (c) 2008-2018 Apple Inc. All rights reserved.
3	*
4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5	*
6	* This file contains Original Code and/or Modifications of Original Code
7	* as defined in and that are subject to the Apple Public Source License
8	* Version 2.0 (the 'License'). You may not use this file except in
9	* compliance with the License. The rights granted to you under the License
10	* may not be used to create, or enable the creation or redistribution of,
11	* unlawful or unlicensed copies of an Apple operating system, or to
12	* circumvent, violate, or enable the circumvention or violation of, any
13	* terms of an Apple operating system software license agreement.
14	*
15	* Please obtain a copy of the License at
16	* http://www.opensource.apple.com/apsl/ and read it before using this file.
17	*
18	* The Original Code and all software distributed under the License are
19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23	* Please see the License for the specific language governing rights and
24	* limitations under the License.
25	*
26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27	*/
28
29	/ $FreeBSD: src/sys/netinet6/ipsec.c,v 1.3.2.7 2001/07/19 06:37:23 kris Exp $ /
30	/ $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ /
31
32	/*
33	* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
34	* All rights reserved.
35	*
36	* Redistribution and use in source and binary forms, with or without
37	* modification, are permitted provided that the following conditions
38	* are met:
39	* 1. Redistributions of source code must retain the above copyright
40	* notice, this list of conditions and the following disclaimer.
41	* 2. Redistributions in binary form must reproduce the above copyright
42	* notice, this list of conditions and the following disclaimer in the
43	* documentation and/or other materials provided with the distribution.
44	* 3. Neither the name of the project nor the names of its contributors
45	* may be used to endorse or promote products derived from this software
46	* without specific prior written permission.
47	*
48	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
49	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
50	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
51	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
52	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
53	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
54	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
55	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
56	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
57	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
58	* SUCH DAMAGE.
59	*/
60
61	/*
62	* IPsec controller part.
63	*/
64
65	#include <sys/param.h>
66	#include <sys/systm.h>
67	#include <sys/malloc.h>
68	#include <sys/mbuf.h>
69	#include <sys/mcache.h>
70	#include <sys/domain.h>
71	#include <sys/protosw.h>
72	#include <sys/socket.h>
73	#include <sys/socketvar.h>
74	#include <sys/errno.h>
75	#include <sys/time.h>
76	#include <sys/kernel.h>
77	#include <sys/syslog.h>
78	#include <sys/sysctl.h>
79	#include <kern/locks.h>
80	#include <sys/kauth.h>
81	#include <libkern/OSAtomic.h>
82
83	#include <net/if.h>
84	#include <net/route.h>
85	#include <net/if_ipsec.h>
86
87	#include <netinet/in.h>
88	#include <netinet/in_systm.h>
89	#include <netinet/ip.h>
90	#include <netinet/ip_var.h>
91	#include <netinet/in_var.h>
92	#include <netinet/udp.h>
93	#include <netinet/udp_var.h>
94	#include <netinet/ip_ecn.h>
95	#if INET6
96	#include <netinet6/ip6_ecn.h>
97	#endif
98	#include <netinet/tcp.h>
99	#include <netinet/udp.h>
100
101	#include <netinet/ip6.h>
102	#if INET6
103	#include <netinet6/ip6_var.h>
104	#endif
105	#include <netinet/in_pcb.h>
106	#if INET6
107	#include <netinet/icmp6.h>
108	#endif
109
110	#include <netinet6/ipsec.h>
111	#if INET6
112	#include <netinet6/ipsec6.h>
113	#endif
114	#include <netinet6/ah.h>
115	#if INET6
116	#include <netinet6/ah6.h>
117	#endif
118	#if IPSEC_ESP
119	#include <netinet6/esp.h>
120	#if INET6
121	#include <netinet6/esp6.h>
122	#endif
123	#endif
124	#include <netinet6/ipcomp.h>
125	#if INET6
126	#include <netinet6/ipcomp6.h>
127	#endif
128	#include <netkey/key.h>
129	#include <netkey/keydb.h>
130	#include <netkey/key_debug.h>
131
132	#include <net/net_osdep.h>
133
134	#if IPSEC_DEBUG
135	int ipsec_debug = `1`;
136	#else
137	int ipsec_debug = `0`;
138	#endif
139
140	#include <sys/kdebug.h>
141	#define DBG_LAYER_BEG NETDBG_CODE(DBG_NETIPSEC, 1)
142	#define DBG_LAYER_END NETDBG_CODE(DBG_NETIPSEC, 3)
143	#define DBG_FNC_GETPOL_SOCK NETDBG_CODE(DBG_NETIPSEC, (1 << 8))
144	#define DBG_FNC_GETPOL_ADDR NETDBG_CODE(DBG_NETIPSEC, (2 << 8))
145	#define DBG_FNC_IPSEC_OUT NETDBG_CODE(DBG_NETIPSEC, (3 << 8))
146
147	extern lck_mtx_t *sadb_mutex;
148
149	struct ipsecstat ipsecstat;
150	int ip4_ah_cleartos = `1`;
151	int ip4_ah_offsetmask = `0`; / maybe IP_DF? /
152	int ip4_ipsec_dfbit = `0`; / DF bit on encap. 0: clear 1: set 2: copy /
153	int ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
154	int ip4_esp_net_deflev = IPSEC_LEVEL_USE;
155	int ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
156	int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
157	struct secpolicy ip4_def_policy;
158	int ip4_ipsec_ecn = ECN_COMPATIBILITY; / ECN ignore(-1)/compatibility(0)/normal(1) /
159	int ip4_esp_randpad = -`1`;
160	int esp_udp_encap_port = `0`;
161	static int sysctl_def_policy SYSCTL_HANDLER_ARGS;
162	extern int natt_keepalive_interval;
163	extern u_int64_t natt_now;
164
165	struct ipsec_tag;
166
167	SYSCTL_DECL(_net_inet_ipsec);
168	#if INET6
169	SYSCTL_DECL(_net_inet6_ipsec6);
170	#endif
171	/ net.inet.ipsec /
172	SYSCTL_STRUCT(_net_inet_ipsec, IPSECCTL_STATS,
173	stats, CTLFLAG_RD \| CTLFLAG_LOCKED, &ipsecstat, ipsecstat, "");
174	SYSCTL_PROC(_net_inet_ipsec, IPSECCTL_DEF_POLICY, def_policy, CTLTYPE_INT\|CTLFLAG_RW \| CTLFLAG_LOCKED,
175	&ip4_def_policy.policy, `0`, &sysctl_def_policy, "I", "");
176	SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
177	CTLFLAG_RW \| CTLFLAG_LOCKED, &ip4_esp_trans_deflev, `0`, "");
178	SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
179	CTLFLAG_RW \| CTLFLAG_LOCKED, &ip4_esp_net_deflev, `0`, "");
180	SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
181	CTLFLAG_RW \| CTLFLAG_LOCKED, &ip4_ah_trans_deflev, `0`, "");
182	SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
183	CTLFLAG_RW \| CTLFLAG_LOCKED, &ip4_ah_net_deflev, `0`, "");
184	SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
185	ah_cleartos, CTLFLAG_RW \| CTLFLAG_LOCKED, &ip4_ah_cleartos, `0`, "");
186	SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
187	ah_offsetmask, CTLFLAG_RW \| CTLFLAG_LOCKED, &ip4_ah_offsetmask, `0`, "");
188	SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT,
189	dfbit, CTLFLAG_RW \| CTLFLAG_LOCKED, &ip4_ipsec_dfbit, `0`, "");
190	SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN,
191	ecn, CTLFLAG_RW \| CTLFLAG_LOCKED, &ip4_ipsec_ecn, `0`, "");
192	SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG,
193	debug, CTLFLAG_RW \| CTLFLAG_LOCKED, &ipsec_debug, `0`, "");
194	SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD,
195	esp_randpad, CTLFLAG_RW \| CTLFLAG_LOCKED, &ip4_esp_randpad, `0`, "");
196
197	/ for performance, we bypass ipsec until a security policy is set /
198	int ipsec_bypass = `1`;
199	SYSCTL_INT(_net_inet_ipsec, OID_AUTO, bypass, CTLFLAG_RD \| CTLFLAG_LOCKED, &ipsec_bypass,`0`, "");
200
201	/*
202	* NAT Traversal requires a UDP port for encapsulation,
203	* esp_udp_encap_port controls which port is used. Racoon
204	* must set this port to the port racoon is using locally
205	* for nat traversal.
206	*/
207	SYSCTL_INT(_net_inet_ipsec, OID_AUTO, esp_port,
208	CTLFLAG_RW \| CTLFLAG_LOCKED, &esp_udp_encap_port, `0`, "");
209
210	#if INET6
211	struct ipsecstat ipsec6stat;
212	int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
213	int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
214	int ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
215	int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
216	struct secpolicy ip6_def_policy;
217	int ip6_ipsec_ecn = ECN_COMPATIBILITY; / ECN ignore(-1)/compatibility(0)/normal(1) /
218	int ip6_esp_randpad = -`1`;
219
220	/ net.inet6.ipsec6 /
221	SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
222	stats, CTLFLAG_RD \| CTLFLAG_LOCKED, &ipsec6stat, ipsecstat, "");
223	SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
224	def_policy, CTLFLAG_RW \| CTLFLAG_LOCKED, &ip6_def_policy.policy, `0`, "");
225	SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
226	CTLFLAG_RW \| CTLFLAG_LOCKED, &ip6_esp_trans_deflev, `0`, "");
227	SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
228	CTLFLAG_RW \| CTLFLAG_LOCKED, &ip6_esp_net_deflev, `0`, "");
229	SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
230	CTLFLAG_RW \| CTLFLAG_LOCKED, &ip6_ah_trans_deflev, `0`, "");
231	SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
232	CTLFLAG_RW \| CTLFLAG_LOCKED, &ip6_ah_net_deflev, `0`, "");
233	SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
234	ecn, CTLFLAG_RW \| CTLFLAG_LOCKED, &ip6_ipsec_ecn, `0`, "");
235	SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG,
236	debug, CTLFLAG_RW \| CTLFLAG_LOCKED, &ipsec_debug, `0`, "");
237	SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
238	esp_randpad, CTLFLAG_RW \| CTLFLAG_LOCKED, &ip6_esp_randpad, `0`, "");
239	#endif /* INET6 */
240
241	static int ipsec_setspidx_interface(struct secpolicyindex , u_int, struct* mbuf *,
242	int, int, int);
243	static int ipsec_setspidx_mbuf(struct secpolicyindex *, u_int, u_int,
244	struct mbuf , int*);
245	static int ipsec4_setspidx_inpcb(struct mbuf , struct* inpcb *pcb);
246	#if INET6
247	static int ipsec6_setspidx_in6pcb(struct mbuf , struct* in6pcb *pcb);
248	#endif
249	static int ipsec_setspidx(struct mbuf , struct* secpolicyindex , int, int*);
250	static void ipsec4_get_ulp(struct mbuf m, struct* secpolicyindex , int*);
251	static int ipsec4_setspidx_ipaddr(struct mbuf , struct* secpolicyindex *);
252	#if INET6
253	static void ipsec6_get_ulp(struct mbuf m, struct* secpolicyindex , int*);
254	static int ipsec6_setspidx_ipaddr(struct mbuf , struct* secpolicyindex *);
255	#endif
256	static struct inpcbpolicy ipsec_newpcbpolicy(void*);
257	static void ipsec_delpcbpolicy(struct inpcbpolicy *);
258	static struct secpolicy ipsec_deepcopy_policy(struct* secpolicy *src);
259	static int ipsec_set_policy(struct secpolicy **pcb_sp,
260	int optname, caddr_t request, size_t len, int priv);
261	static void vshiftl(unsigned char , int, int*);
262	static int ipsec_in_reject(struct secpolicy , struct* mbuf *);
263	#if INET6
264	static int ipsec64_encapsulate(struct mbuf , struct* secasvar *);
265	static int ipsec6_update_routecache_and_output(struct ipsec_output_state state, struct* secasvar *sav);
266	static int ipsec46_encapsulate(struct ipsec_output_state state, struct* secasvar *sav);
267	#endif
268	static struct ipsec_tag ipsec_addaux(struct* mbuf *);
269	static struct ipsec_tag ipsec_findaux(struct* mbuf *);
270	static void ipsec_optaux(struct mbuf , struct* ipsec_tag *);
271	int ipsec_send_natt_keepalive(struct secasvar *sav);
272	bool ipsec_fill_offload_frame(ifnet_t ifp, struct secasvar sav, struct* ifnet_keepalive_offload_frame *frame, size_t frame_data_offset);
273
274	static int
275	sysctl_def_policy SYSCTL_HANDLER_ARGS
276	{
277	int old_policy = ip4_def_policy.policy;
278	int error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req);
279
280	#pragma unused(arg1, arg2)
281
282	if (ip4_def_policy.policy != IPSEC_POLICY_NONE &&
283	ip4_def_policy.policy != IPSEC_POLICY_DISCARD) {
284	ip4_def_policy.policy = old_policy;
285	return EINVAL;
286	}
287
288	/ Turn off the bypass if the default security policy changes /
289	if (ipsec_bypass != `0` && ip4_def_policy.policy != IPSEC_POLICY_NONE)
290	ipsec_bypass = `0`;
291
292	return error;
293	}
294
295	/*
296	* For OUTBOUND packet having a socket. Searching SPD for packet,
297	* and return a pointer to SP.
298	* OUT: NULL: no apropreate SP found, the following value is set to error.
299	* 0 : bypass
300	* EACCES : discard packet.
301	* ENOENT : ipsec_acquire() in progress, maybe.
302	* others : error occurred.
303	* others: a pointer to SP
304	*
305	* NOTE: IPv6 mapped adddress concern is implemented here.
306	*/
307	struct secpolicy *
308	ipsec4_getpolicybysock(struct mbuf *m,
309	u_int dir,
310	struct socket *so,
311	int *error)
312	{
313	struct inpcbpolicy *pcbsp = NULL;
314	struct secpolicy currsp = NULL; /* policy on socket /
315	struct secpolicy kernsp = NULL; /* policy on kernel /
316
317	LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
318	/ sanity check /
319	if (m == NULL \|\| so == NULL \|\| error == NULL)
320	panic("ipsec4_getpolicybysock: NULL pointer was passed.\n");
321
322	if (so->so_pcb == NULL) {
323	printf("ipsec4_getpolicybysock: so->so_pcb == NULL\n");
324	return ipsec4_getpolicybyaddr(m, dir, `0`, error);
325	}
326
327	switch (SOCK_DOM(so)) {
328	case PF_INET:
329	pcbsp = sotoinpcb(so)->inp_sp;
330	break;
331	#if INET6
332	case PF_INET6:
333	pcbsp = sotoin6pcb(so)->in6p_sp;
334	break;
335	#endif
336	}
337
338	if (!pcbsp){
339	/ Socket has not specified an IPSEC policy /
340	return ipsec4_getpolicybyaddr(m, dir, `0`, error);
341	}
342
343	KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK \| DBG_FUNC_START, `0`,`0`,`0`,`0`,`0`);
344
345	switch (SOCK_DOM(so)) {
346	case PF_INET:
347	/ set spidx in pcb /
348	*error = ipsec4_setspidx_inpcb(m, sotoinpcb(so));
349	break;
350	#if INET6
351	case PF_INET6:
352	/ set spidx in pcb /
353	*error = ipsec6_setspidx_in6pcb(m, sotoin6pcb(so));
354	break;
355	#endif
356	default:
357	panic("ipsec4_getpolicybysock: unsupported address family\n");
358	}
359	if (*error) {
360	KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK \| DBG_FUNC_END, `1`,*error,`0`,`0`,`0`);
361	return NULL;
362	}
363
364	/ sanity check /
365	if (pcbsp == NULL)
366	panic("ipsec4_getpolicybysock: pcbsp is NULL.\n");
367
368	switch (dir) {
369	case IPSEC_DIR_INBOUND:
370	currsp = pcbsp->sp_in;
371	break;
372	case IPSEC_DIR_OUTBOUND:
373	currsp = pcbsp->sp_out;
374	break;
375	default:
376	panic("ipsec4_getpolicybysock: illegal direction.\n");
377	}
378
379	/ sanity check /
380	if (currsp == NULL)
381	panic("ipsec4_getpolicybysock: currsp is NULL.\n");
382
383	/ when privilieged socket /
384	if (pcbsp->priv) {
385	switch (currsp->policy) {
386	case IPSEC_POLICY_BYPASS:
387	lck_mtx_lock(sadb_mutex);
388	currsp->refcnt++;
389	lck_mtx_unlock(sadb_mutex);
390	*error = `0`;
391	KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK \| DBG_FUNC_END, `2`,*error,`0`,`0`,`0`);
392	return currsp;
393
394	case IPSEC_POLICY_ENTRUST:
395	/ look for a policy in SPD /
396	kernsp = key_allocsp(&currsp->spidx, dir);
397
398	/ SP found /
399	if (kernsp != NULL) {
400	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
401	printf("DP ipsec4_getpolicybysock called "
402	"to allocate SP:0x%llx\n",
403	(uint64_t)VM_KERNEL_ADDRPERM(kernsp)));
404	*error = `0`;
405	KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK \| DBG_FUNC_END, `3`,*error,`0`,`0`,`0`);
406	return kernsp;
407	}
408
409	/ no SP found /
410	lck_mtx_lock(sadb_mutex);
411	if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
412	&& ip4_def_policy.policy != IPSEC_POLICY_NONE) {
413	ipseclog((LOG_INFO,
414	"fixed system default policy: %d->%d\n",
415	ip4_def_policy.policy, IPSEC_POLICY_NONE));
416	ip4_def_policy.policy = IPSEC_POLICY_NONE;
417	}
418	ip4_def_policy.refcnt++;
419	lck_mtx_unlock(sadb_mutex);
420	*error = `0`;
421	KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK \| DBG_FUNC_END, `4`,*error,`0`,`0`,`0`);
422	return &ip4_def_policy;
423
424	case IPSEC_POLICY_IPSEC:
425	lck_mtx_lock(sadb_mutex);
426	currsp->refcnt++;
427	lck_mtx_unlock(sadb_mutex);
428	*error = `0`;
429	KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK \| DBG_FUNC_END, `5`,*error,`0`,`0`,`0`);
430	return currsp;
431
432	default:
433	ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
434	"Invalid policy for PCB %d\n", currsp->policy));
435	*error = EINVAL;
436	KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK \| DBG_FUNC_END, `6`,*error,`0`,`0`,`0`);
437	return NULL;
438	}
439	/ NOTREACHED /
440	}
441
442	/ when non-privilieged socket /
443	/ look for a policy in SPD /
444	kernsp = key_allocsp(&currsp->spidx, dir);
445
446	/ SP found /
447	if (kernsp != NULL) {
448	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
449	printf("DP ipsec4_getpolicybysock called "
450	"to allocate SP:0x%llx\n",
451	(uint64_t)VM_KERNEL_ADDRPERM(kernsp)));
452	*error = `0`;
453	KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK \| DBG_FUNC_END, `7`,*error,`0`,`0`,`0`);
454	return kernsp;
455	}
456
457	/ no SP found /
458	switch (currsp->policy) {
459	case IPSEC_POLICY_BYPASS:
460	ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
461	"Illegal policy for non-priviliged defined %d\n",
462	currsp->policy));
463	*error = EINVAL;
464	KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK \| DBG_FUNC_END, `8`,*error,`0`,`0`,`0`);
465	return NULL;
466
467	case IPSEC_POLICY_ENTRUST:
468	lck_mtx_lock(sadb_mutex);
469	if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
470	&& ip4_def_policy.policy != IPSEC_POLICY_NONE) {
471	ipseclog((LOG_INFO,
472	"fixed system default policy: %d->%d\n",
473	ip4_def_policy.policy, IPSEC_POLICY_NONE));
474	ip4_def_policy.policy = IPSEC_POLICY_NONE;
475	}
476	ip4_def_policy.refcnt++;
477	lck_mtx_unlock(sadb_mutex);
478	*error = `0`;
479	KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK \| DBG_FUNC_END, `9`,*error,`0`,`0`,`0`);
480	return &ip4_def_policy;
481
482	case IPSEC_POLICY_IPSEC:
483	lck_mtx_lock(sadb_mutex);
484	currsp->refcnt++;
485	lck_mtx_unlock(sadb_mutex);
486	*error = `0`;
487	KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK \| DBG_FUNC_END, `10`,*error,`0`,`0`,`0`);
488	return currsp;
489
490	default:
491	ipseclog((LOG_ERR, "ipsec4_getpolicybysock: "
492	"Invalid policy for PCB %d\n", currsp->policy));
493	*error = EINVAL;
494	KERNEL_DEBUG(DBG_FNC_GETPOL_SOCK \| DBG_FUNC_END, `11`,*error,`0`,`0`,`0`);
495	return NULL;
496	}
497	/ NOTREACHED /
498	}
499
500	/*
501	* For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
502	* and return a pointer to SP.
503	* OUT: positive: a pointer to the entry for security policy leaf matched.
504	* NULL: no apropreate SP found, the following value is set to error.
505	* 0 : bypass
506	* EACCES : discard packet.
507	* ENOENT : ipsec_acquire() in progress, maybe.
508	* others : error occurred.
509	*/
510	struct secpolicy *
511	ipsec4_getpolicybyaddr(struct mbuf *m,
512	u_int dir,
513	int flag,
514	int *error)
515	{
516	struct secpolicy *sp = NULL;
517
518	if (ipsec_bypass != `0`)
519	return `0`;
520
521	LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
522
523	/ sanity check /
524	if (m == NULL \|\| error == NULL)
525	panic("ipsec4_getpolicybyaddr: NULL pointer was passed.\n");
526	{
527	struct secpolicyindex spidx;
528
529	KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR \| DBG_FUNC_START, `0`,`0`,`0`,`0`,`0`);
530	bzero(&spidx, sizeof(spidx));
531
532	/ make a index to look for a policy /
533	*error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET, m,
534	(flag & IP_FORWARDING) ? `0` : `1`);
535
536	if (*error != `0`) {
537	KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR \| DBG_FUNC_END, `1`,*error,`0`,`0`,`0`);
538	return NULL;
539	}
540
541	sp = key_allocsp(&spidx, dir);
542	}
543
544	/ SP found /
545	if (sp != NULL) {
546	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
547	printf("DP ipsec4_getpolicybyaddr called "
548	"to allocate SP:0x%llx\n",
549	(uint64_t)VM_KERNEL_ADDRPERM(sp)));
550	*error = `0`;
551	KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR \| DBG_FUNC_END, `2`,*error,`0`,`0`,`0`);
552	return sp;
553	}
554
555	/ no SP found /
556	lck_mtx_lock(sadb_mutex);
557	if (ip4_def_policy.policy != IPSEC_POLICY_DISCARD
558	&& ip4_def_policy.policy != IPSEC_POLICY_NONE) {
559	ipseclog((LOG_INFO, "fixed system default policy:%d->%d\n",
560	ip4_def_policy.policy,
561	IPSEC_POLICY_NONE));
562	ip4_def_policy.policy = IPSEC_POLICY_NONE;
563	}
564	ip4_def_policy.refcnt++;
565	lck_mtx_unlock(sadb_mutex);
566	*error = `0`;
567	KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR \| DBG_FUNC_END, `3`,*error,`0`,`0`,`0`);
568	return &ip4_def_policy;
569	}
570
571	/ Match with bound interface rather than src addr.*
572	* Unlike getpolicybyaddr, do not set the default policy.
573	* Return 0 if should continue processing, or -1 if packet
574	* should be dropped.
575	*/
576	int
577	ipsec4_getpolicybyinterface(struct mbuf *m,
578	u_int dir,
579	int *flags,
580	struct ip_out_args *ipoa,
581	struct secpolicy **sp)
582	{
583	struct secpolicyindex spidx;
584	int error = `0`;
585
586	if (ipsec_bypass != `0`)
587	return `0`;
588
589	/ Sanity check /
590	if (m == NULL \|\| ipoa == NULL \|\| sp == NULL)
591	panic("ipsec4_getpolicybyinterface: NULL pointer was passed.\n");
592
593	if (ipoa->ipoa_boundif == IFSCOPE_NONE)
594	return `0`;
595
596	KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR \| DBG_FUNC_START, `0`,`0`,`0`,`0`,`0`);
597	bzero(&spidx, sizeof(spidx));
598
599	/ make a index to look for a policy /
600	error = ipsec_setspidx_interface(&spidx, dir, m, (*flags & IP_FORWARDING) ? `0` : `1`,
601	ipoa->ipoa_boundif, `4`);
602
603	if (error != `0`) {
604	KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR \| DBG_FUNC_END, `1`,error,`0`,`0`,`0`);
605	return `0`;
606	}
607
608	*sp = key_allocsp(&spidx, dir);
609
610	/ Return SP, whether NULL or not /
611	if (sp != NULL && (sp)->policy == IPSEC_POLICY_IPSEC) {
612	if ((*sp)->ipsec_if == NULL) {
613	/ Invalid to capture on an interface without redirect /
614	key_freesp(*sp, KEY_SADB_UNLOCKED);
615	*sp = NULL;
616	return -`1`;
617	} else if ((*sp)->disabled) {
618	/ Disabled policies go in the clear /
619	key_freesp(*sp, KEY_SADB_UNLOCKED);
620	*sp = NULL;
621	flags \|= IP_NOIPSEC; /* Avoid later IPSec check /
622	} else {
623	/ If policy is enabled, redirect to ipsec interface /
624	ipoa->ipoa_boundif = (*sp)->ipsec_if->if_index;
625	}
626	}
627
628	KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR \| DBG_FUNC_END, `2`,error,`0`,`0`,`0`);
629
630	return `0`;
631	}
632
633
634	#if INET6
635	/*
636	* For OUTBOUND packet having a socket. Searching SPD for packet,
637	* and return a pointer to SP.
638	* OUT: NULL: no apropreate SP found, the following value is set to error.
639	* 0 : bypass
640	* EACCES : discard packet.
641	* ENOENT : ipsec_acquire() in progress, maybe.
642	* others : error occurred.
643	* others: a pointer to SP
644	*/
645	struct secpolicy *
646	ipsec6_getpolicybysock(struct mbuf *m,
647	u_int dir,
648	struct socket *so,
649	int *error)
650	{
651	struct inpcbpolicy *pcbsp = NULL;
652	struct secpolicy currsp = NULL; /* policy on socket /
653	struct secpolicy kernsp = NULL; /* policy on kernel /
654
655	LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
656
657	/ sanity check /
658	if (m == NULL \|\| so == NULL \|\| error == NULL)
659	panic("ipsec6_getpolicybysock: NULL pointer was passed.\n");
660
661	#if DIAGNOSTIC
662	if (SOCK_DOM(so) != PF_INET6)
663	panic("ipsec6_getpolicybysock: socket domain != inet6\n");
664	#endif
665
666	pcbsp = sotoin6pcb(so)->in6p_sp;
667
668	if (!pcbsp){
669	return ipsec6_getpolicybyaddr(m, dir, `0`, error);
670	}
671
672	/ set spidx in pcb /
673	ipsec6_setspidx_in6pcb(m, sotoin6pcb(so));
674
675	/ sanity check /
676	if (pcbsp == NULL)
677	panic("ipsec6_getpolicybysock: pcbsp is NULL.\n");
678
679	switch (dir) {
680	case IPSEC_DIR_INBOUND:
681	currsp = pcbsp->sp_in;
682	break;
683	case IPSEC_DIR_OUTBOUND:
684	currsp = pcbsp->sp_out;
685	break;
686	default:
687	panic("ipsec6_getpolicybysock: illegal direction.\n");
688	}
689
690	/ sanity check /
691	if (currsp == NULL)
692	panic("ipsec6_getpolicybysock: currsp is NULL.\n");
693
694	/ when privilieged socket /
695	if (pcbsp->priv) {
696	switch (currsp->policy) {
697	case IPSEC_POLICY_BYPASS:
698	lck_mtx_lock(sadb_mutex);
699	currsp->refcnt++;
700	lck_mtx_unlock(sadb_mutex);
701	*error = `0`;
702	return currsp;
703
704	case IPSEC_POLICY_ENTRUST:
705	/ look for a policy in SPD /
706	kernsp = key_allocsp(&currsp->spidx, dir);
707
708	/ SP found /
709	if (kernsp != NULL) {
710	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
711	printf("DP ipsec6_getpolicybysock called "
712	"to allocate SP:0x%llx\n",
713	(uint64_t)VM_KERNEL_ADDRPERM(kernsp)));
714	*error = `0`;
715	return kernsp;
716	}
717
718	/ no SP found /
719	lck_mtx_lock(sadb_mutex);
720	if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
721	&& ip6_def_policy.policy != IPSEC_POLICY_NONE) {
722	ipseclog((LOG_INFO,
723	"fixed system default policy: %d->%d\n",
724	ip6_def_policy.policy, IPSEC_POLICY_NONE));
725	ip6_def_policy.policy = IPSEC_POLICY_NONE;
726	}
727	ip6_def_policy.refcnt++;
728	lck_mtx_unlock(sadb_mutex);
729	*error = `0`;
730	return &ip6_def_policy;
731
732	case IPSEC_POLICY_IPSEC:
733	lck_mtx_lock(sadb_mutex);
734	currsp->refcnt++;
735	lck_mtx_unlock(sadb_mutex);
736	*error = `0`;
737	return currsp;
738
739	default:
740	ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
741	"Invalid policy for PCB %d\n", currsp->policy));
742	*error = EINVAL;
743	return NULL;
744	}
745	/ NOTREACHED /
746	}
747
748	/ when non-privilieged socket /
749	/ look for a policy in SPD /
750	kernsp = key_allocsp(&currsp->spidx, dir);
751
752	/ SP found /
753	if (kernsp != NULL) {
754	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
755	printf("DP ipsec6_getpolicybysock called "
756	"to allocate SP:0x%llx\n",
757	(uint64_t)VM_KERNEL_ADDRPERM(kernsp)));
758	*error = `0`;
759	return kernsp;
760	}
761
762	/ no SP found /
763	switch (currsp->policy) {
764	case IPSEC_POLICY_BYPASS:
765	ipseclog((LOG_ERR, "ipsec6_getpolicybysock: "
766	"Illegal policy for non-priviliged defined %d\n",
767	currsp->policy));
768	*error = EINVAL;
769	return NULL;
770
771	case IPSEC_POLICY_ENTRUST:
772	lck_mtx_lock(sadb_mutex);
773	if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
774	&& ip6_def_policy.policy != IPSEC_POLICY_NONE) {
775	ipseclog((LOG_INFO,
776	"fixed system default policy: %d->%d\n",
777	ip6_def_policy.policy, IPSEC_POLICY_NONE));
778	ip6_def_policy.policy = IPSEC_POLICY_NONE;
779	}
780	ip6_def_policy.refcnt++;
781	lck_mtx_unlock(sadb_mutex);
782	*error = `0`;
783	return &ip6_def_policy;
784
785	case IPSEC_POLICY_IPSEC:
786	lck_mtx_lock(sadb_mutex);
787	currsp->refcnt++;
788	lck_mtx_unlock(sadb_mutex);
789	*error = `0`;
790	return currsp;
791
792	default:
793	ipseclog((LOG_ERR,
794	"ipsec6_policybysock: Invalid policy for PCB %d\n",
795	currsp->policy));
796	*error = EINVAL;
797	return NULL;
798	}
799	/ NOTREACHED /
800	}
801
802	/*
803	* For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
804	* and return a pointer to SP.
805	* `flag' means that packet is to be forwarded whether or not.
806	* flag = 1: forwad
807	* OUT: positive: a pointer to the entry for security policy leaf matched.
808	* NULL: no apropreate SP found, the following value is set to error.
809	* 0 : bypass
810	* EACCES : discard packet.
811	* ENOENT : ipsec_acquire() in progress, maybe.
812	* others : error occurred.
813	*/
814	#ifndef IP_FORWARDING
815	#define IP_FORWARDING 1
816	#endif
817
818	struct secpolicy *
819	ipsec6_getpolicybyaddr(struct mbuf *m,
820	u_int dir,
821	int flag,
822	int *error)
823	{
824	struct secpolicy *sp = NULL;
825
826	LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
827
828	/ sanity check /
829	if (m == NULL \|\| error == NULL)
830	panic("ipsec6_getpolicybyaddr: NULL pointer was passed.\n");
831
832	{
833	struct secpolicyindex spidx;
834
835	bzero(&spidx, sizeof(spidx));
836
837	/ make a index to look for a policy /
838	*error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET6, m,
839	(flag & IP_FORWARDING) ? `0` : `1`);
840
841	if (*error != `0`)
842	return NULL;
843
844	sp = key_allocsp(&spidx, dir);
845	}
846
847	/ SP found /
848	if (sp != NULL) {
849	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
850	printf("DP ipsec6_getpolicybyaddr called "
851	"to allocate SP:0x%llx\n",
852	(uint64_t)VM_KERNEL_ADDRPERM(sp)));
853	*error = `0`;
854	return sp;
855	}
856
857	/ no SP found /
858	lck_mtx_lock(sadb_mutex);
859	if (ip6_def_policy.policy != IPSEC_POLICY_DISCARD
860	&& ip6_def_policy.policy != IPSEC_POLICY_NONE) {
861	ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n",
862	ip6_def_policy.policy, IPSEC_POLICY_NONE));
863	ip6_def_policy.policy = IPSEC_POLICY_NONE;
864	}
865	ip6_def_policy.refcnt++;
866	lck_mtx_unlock(sadb_mutex);
867	*error = `0`;
868	return &ip6_def_policy;
869	}
870
871	/ Match with bound interface rather than src addr.*
872	* Unlike getpolicybyaddr, do not set the default policy.
873	* Return 0 if should continue processing, or -1 if packet
874	* should be dropped.
875	*/
876	int
877	ipsec6_getpolicybyinterface(struct mbuf *m,
878	u_int dir,
879	int flag,
880	struct ip6_out_args *ip6oap,
881	int *noipsec,
882	struct secpolicy **sp)
883	{
884	struct secpolicyindex spidx;
885	int error = `0`;
886
887	if (ipsec_bypass != `0`)
888	return `0`;
889
890	/ Sanity check /
891	if (m == NULL \|\| sp == NULL \|\| noipsec == NULL \|\| ip6oap == NULL)
892	panic("ipsec6_getpolicybyinterface: NULL pointer was passed.\n");
893
894	*noipsec = `0`;
895
896	if (ip6oap->ip6oa_boundif == IFSCOPE_NONE)
897	return `0`;
898
899	KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR \| DBG_FUNC_START, `0`,`0`,`0`,`0`,`0`);
900	bzero(&spidx, sizeof(spidx));
901
902	/ make a index to look for a policy /
903	error = ipsec_setspidx_interface(&spidx, dir, m, (flag & IP_FORWARDING) ? `0` : `1`,
904	ip6oap->ip6oa_boundif, `6`);
905
906	if (error != `0`) {
907	KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR \| DBG_FUNC_END, `1`,error,`0`,`0`,`0`);
908	return `0`;
909	}
910
911	*sp = key_allocsp(&spidx, dir);
912
913	/ Return SP, whether NULL or not /
914	if (sp != NULL && (sp)->policy == IPSEC_POLICY_IPSEC) {
915	if ((*sp)->ipsec_if == NULL) {
916	/ Invalid to capture on an interface without redirect /
917	key_freesp(*sp, KEY_SADB_UNLOCKED);
918	*sp = NULL;
919	return -`1`;
920	} else if ((*sp)->disabled) {
921	/ Disabled policies go in the clear /
922	key_freesp(*sp, KEY_SADB_UNLOCKED);
923	*sp = NULL;
924	noipsec = `1`; /* Avoid later IPSec check /
925	} else {
926	/ If policy is enabled, redirect to ipsec interface /
927	ip6oap->ip6oa_boundif = (*sp)->ipsec_if->if_index;
928	}
929	}
930
931	KERNEL_DEBUG(DBG_FNC_GETPOL_ADDR \| DBG_FUNC_END, `2`,*error,`0`,`0`,`0`);
932
933	return `0`;
934	}
935	#endif /* INET6 */
936
937	/*
938	* set IP address into spidx from mbuf.
939	* When Forwarding packet and ICMP echo reply, this function is used.
940	*
941	* IN: get the followings from mbuf.
942	* protocol family, src, dst, next protocol
943	* OUT:
944	* 0: success.
945	* other: failure, and set errno.
946	*/
947	static int
948	ipsec_setspidx_mbuf(
949	struct secpolicyindex *spidx,
950	u_int dir,
951	__unused u_int family,
952	struct mbuf *m,
953	int needport)
954	{
955	int error;
956
957	/ sanity check /
958	if (spidx == NULL \|\| m == NULL)
959	panic("ipsec_setspidx_mbuf: NULL pointer was passed.\n");
960
961	bzero(spidx, sizeof(*spidx));
962
963	error = ipsec_setspidx(m, spidx, needport, `0`);
964	if (error)
965	goto bad;
966	spidx->dir = dir;
967
968	return `0`;
969
970	bad:
971	/ XXX initialize /
972	bzero(spidx, sizeof(*spidx));
973	return EINVAL;
974	}
975
976	static int
977	ipsec_setspidx_interface(
978	struct secpolicyindex *spidx,
979	u_int dir,
980	struct mbuf *m,
981	int needport,
982	int ifindex,
983	int ip_version)
984	{
985	int error;
986
987	/ sanity check /
988	if (spidx == NULL \|\| m == NULL)
989	panic("ipsec_setspidx_interface: NULL pointer was passed.\n");
990
991	bzero(spidx, sizeof(*spidx));
992
993	error = ipsec_setspidx(m, spidx, needport, ip_version);
994	if (error)
995	goto bad;
996	spidx->dir = dir;
997
998	if (ifindex != `0`) {
999	ifnet_head_lock_shared();
1000	spidx->internal_if = ifindex2ifnet[ifindex];
1001	ifnet_head_done();
1002	} else {
1003	spidx->internal_if = NULL;
1004	}
1005
1006	return `0`;
1007
1008	bad:
1009	return EINVAL;
1010	}
1011
1012	static int
1013	ipsec4_setspidx_inpcb(struct mbuf m, struct* inpcb *pcb)
1014	{
1015	struct secpolicyindex *spidx;
1016	int error;
1017
1018	if (ipsec_bypass != `0`)
1019	return `0`;
1020
1021	/ sanity check /
1022	if (pcb == NULL)
1023	panic("ipsec4_setspidx_inpcb: no PCB found.\n");
1024	if (pcb->inp_sp == NULL)
1025	panic("ipsec4_setspidx_inpcb: no inp_sp found.\n");
1026	if (pcb->inp_sp->sp_out == NULL \|\| pcb->inp_sp->sp_in == NULL)
1027	panic("ipsec4_setspidx_inpcb: no sp_in/out found.\n");
1028
1029	bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx));
1030	bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx));
1031
1032	spidx = &pcb->inp_sp->sp_in->spidx;
1033	error = ipsec_setspidx(m, spidx, `1`, `0`);
1034	if (error)
1035	goto bad;
1036	spidx->dir = IPSEC_DIR_INBOUND;
1037
1038	spidx = &pcb->inp_sp->sp_out->spidx;
1039	error = ipsec_setspidx(m, spidx, `1`, `0`);
1040	if (error)
1041	goto bad;
1042	spidx->dir = IPSEC_DIR_OUTBOUND;
1043
1044	return `0`;
1045
1046	bad:
1047	bzero(&pcb->inp_sp->sp_in->spidx, sizeof(*spidx));
1048	bzero(&pcb->inp_sp->sp_out->spidx, sizeof(*spidx));
1049	return error;
1050	}
1051
1052	#if INET6
1053	static int
1054	ipsec6_setspidx_in6pcb(struct mbuf m, struct* in6pcb *pcb)
1055	{
1056	struct secpolicyindex *spidx;
1057	int error;
1058
1059	/ sanity check /
1060	if (pcb == NULL)
1061	panic("ipsec6_setspidx_in6pcb: no PCB found.\n");
1062	if (pcb->in6p_sp == NULL)
1063	panic("ipsec6_setspidx_in6pcb: no in6p_sp found.\n");
1064	if (pcb->in6p_sp->sp_out == NULL \|\| pcb->in6p_sp->sp_in == NULL)
1065	panic("ipsec6_setspidx_in6pcb: no sp_in/out found.\n");
1066
1067	bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
1068	bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
1069
1070	spidx = &pcb->in6p_sp->sp_in->spidx;
1071	error = ipsec_setspidx(m, spidx, `1`, `0`);
1072	if (error)
1073	goto bad;
1074	spidx->dir = IPSEC_DIR_INBOUND;
1075
1076	spidx = &pcb->in6p_sp->sp_out->spidx;
1077	error = ipsec_setspidx(m, spidx, `1`, `0`);
1078	if (error)
1079	goto bad;
1080	spidx->dir = IPSEC_DIR_OUTBOUND;
1081
1082	return `0`;
1083
1084	bad:
1085	bzero(&pcb->in6p_sp->sp_in->spidx, sizeof(*spidx));
1086	bzero(&pcb->in6p_sp->sp_out->spidx, sizeof(*spidx));
1087	return error;
1088	}
1089	#endif
1090
1091	/*
1092	* configure security policy index (src/dst/proto/sport/dport)
1093	* by looking at the content of mbuf.
1094	* the caller is responsible for error recovery (like clearing up spidx).
1095	*/
1096	static int
1097	ipsec_setspidx(struct mbuf *m,
1098	struct secpolicyindex *spidx,
1099	int needport,
1100	int force_ip_version)
1101	{
1102	struct ip *ip = NULL;
1103	struct ip ipbuf;
1104	u_int v;
1105	struct mbuf *n;
1106	int len;
1107	int error;
1108
1109	if (m == NULL)
1110	panic("ipsec_setspidx: m == 0 passed.\n");
1111
1112	/*
1113	* validate m->m_pkthdr.len. we see incorrect length if we
1114	* mistakenly call this function with inconsistent mbuf chain
1115	* (like 4.4BSD tcp/udp processing). XXX should we panic here?
1116	*/
1117	len = `0`;
1118	for (n = m; n; n = n->m_next)
1119	len += n->m_len;
1120	if (m->m_pkthdr.len != len) {
1121	KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1122	printf("ipsec_setspidx: "
1123	"total of m_len(%d) != pkthdr.len(%d), "
1124	"ignored.\n",
1125	len, m->m_pkthdr.len));
1126	return EINVAL;
1127	}
1128
1129	if (m->m_pkthdr.len < sizeof(struct ip)) {
1130	KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1131	printf("ipsec_setspidx: "
1132	"pkthdr.len(%d) < sizeof(struct ip), ignored.\n",
1133	m->m_pkthdr.len));
1134	return EINVAL;
1135	}
1136
1137	if (m->m_len >= sizeof(*ip))
1138	ip = mtod(m, struct ip *);
1139	else {
1140	m_copydata(m, `0`, sizeof(ipbuf), (caddr_t)&ipbuf);
1141	ip = &ipbuf;
1142	}
1143
1144	if (force_ip_version) {
1145	v = force_ip_version;
1146	} else {
1147	#ifdef _IP_VHL
1148	v = _IP_VHL_V(ip->ip_vhl);
1149	#else
1150	v = ip->ip_v;
1151	#endif
1152	}
1153	switch (v) {
1154	case `4`:
1155	error = ipsec4_setspidx_ipaddr(m, spidx);
1156	if (error)
1157	return error;
1158	ipsec4_get_ulp(m, spidx, needport);
1159	return `0`;
1160	#if INET6
1161	case `6`:
1162	if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
1163	KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1164	printf("ipsec_setspidx: "
1165	"pkthdr.len(%d) < sizeof(struct ip6_hdr), "
1166	"ignored.\n", m->m_pkthdr.len));
1167	return EINVAL;
1168	}
1169	error = ipsec6_setspidx_ipaddr(m, spidx);
1170	if (error)
1171	return error;
1172	ipsec6_get_ulp(m, spidx, needport);
1173	return `0`;
1174	#endif
1175	default:
1176	KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1177	printf("ipsec_setspidx: "
1178	"unknown IP version %u, ignored.\n", v));
1179	return EINVAL;
1180	}
1181	}
1182
1183	static void
1184	ipsec4_get_ulp(struct mbuf m, struct* secpolicyindex spidx, int* needport)
1185	{
1186	struct ip ip;
1187	struct ip6_ext ip6e;
1188	u_int8_t nxt;
1189	int off;
1190	struct tcphdr th;
1191	struct udphdr uh;
1192
1193	/ sanity check /
1194	if (m == NULL)
1195	panic("ipsec4_get_ulp: NULL pointer was passed.\n");
1196	if (m->m_pkthdr.len < sizeof(ip))
1197	panic("ipsec4_get_ulp: too short\n");
1198
1199	/ set default /
1200	spidx->ul_proto = IPSEC_ULPROTO_ANY;
1201	((struct sockaddr_in *)&spidx->src)->sin_port = IPSEC_PORT_ANY;
1202	((struct sockaddr_in *)&spidx->dst)->sin_port = IPSEC_PORT_ANY;
1203
1204	m_copydata(m, `0`, sizeof(ip), (caddr_t)&ip);
1205	/ ip_input() flips it into host endian XXX need more checking /
1206	if (ip.ip_off & (IP_MF \| IP_OFFMASK))
1207	return;
1208
1209	nxt = ip.ip_p;
1210	#ifdef _IP_VHL
1211	off = _IP_VHL_HL(ip->ip_vhl) << `2`;
1212	#else
1213	off = ip.ip_hl << `2`;
1214	#endif
1215	while (off < m->m_pkthdr.len) {
1216	switch (nxt) {
1217	case IPPROTO_TCP:
1218	spidx->ul_proto = nxt;
1219	if (!needport)
1220	return;
1221	if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
1222	return;
1223	m_copydata(m, off, sizeof(th), (caddr_t)&th);
1224	((struct sockaddr_in *)&spidx->src)->sin_port =
1225	th.th_sport;
1226	((struct sockaddr_in *)&spidx->dst)->sin_port =
1227	th.th_dport;
1228	return;
1229	case IPPROTO_UDP:
1230	spidx->ul_proto = nxt;
1231	if (!needport)
1232	return;
1233	if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1234	return;
1235	m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1236	((struct sockaddr_in *)&spidx->src)->sin_port =
1237	uh.uh_sport;
1238	((struct sockaddr_in *)&spidx->dst)->sin_port =
1239	uh.uh_dport;
1240	return;
1241	case IPPROTO_AH:
1242	if (off + sizeof(ip6e) > m->m_pkthdr.len)
1243	return;
1244	m_copydata(m, off, sizeof(ip6e), (caddr_t)&ip6e);
1245	off += (ip6e.ip6e_len + `2`) << `2`;
1246	nxt = ip6e.ip6e_nxt;
1247	break;
1248	case IPPROTO_ICMP:
1249	default:
1250	/ XXX intermediate headers??? /
1251	spidx->ul_proto = nxt;
1252	return;
1253	}
1254	}
1255	}
1256
1257	/ assumes that m is sane /
1258	static int
1259	ipsec4_setspidx_ipaddr(struct mbuf m, struct* secpolicyindex *spidx)
1260	{
1261	struct ip *ip = NULL;
1262	struct ip ipbuf;
1263	struct sockaddr_in *sin;
1264
1265	if (m->m_len >= sizeof(*ip))
1266	ip = mtod(m, struct ip *);
1267	else {
1268	m_copydata(m, `0`, sizeof(ipbuf), (caddr_t)&ipbuf);
1269	ip = &ipbuf;
1270	}
1271
1272	sin = (struct sockaddr_in *)&spidx->src;
1273	bzero(sin, sizeof(*sin));
1274	sin->sin_family = AF_INET;
1275	sin->sin_len = sizeof(struct sockaddr_in);
1276	bcopy(&ip->ip_src, &sin->sin_addr, sizeof(ip->ip_src));
1277	spidx->prefs = sizeof(struct in_addr) << `3`;
1278
1279	sin = (struct sockaddr_in *)&spidx->dst;
1280	bzero(sin, sizeof(*sin));
1281	sin->sin_family = AF_INET;
1282	sin->sin_len = sizeof(struct sockaddr_in);
1283	bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(ip->ip_dst));
1284	spidx->prefd = sizeof(struct in_addr) << `3`;
1285
1286	return `0`;
1287	}
1288
1289	#if INET6
1290	static void
1291	ipsec6_get_ulp(struct mbuf *m,
1292	struct secpolicyindex *spidx,
1293	int needport)
1294	{
1295	int off, nxt;
1296	struct tcphdr th;
1297	struct udphdr uh;
1298
1299	/ sanity check /
1300	if (m == NULL)
1301	panic("ipsec6_get_ulp: NULL pointer was passed.\n");
1302
1303	KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1304	printf("ipsec6_get_ulp:\n"); kdebug_mbuf(m));
1305
1306	/ set default /
1307	spidx->ul_proto = IPSEC_ULPROTO_ANY;
1308	((struct sockaddr_in6 *)&spidx->src)->sin6_port = IPSEC_PORT_ANY;
1309	((struct sockaddr_in6 *)&spidx->dst)->sin6_port = IPSEC_PORT_ANY;
1310
1311	nxt = -`1`;
1312	off = ip6_lasthdr(m, `0`, IPPROTO_IPV6, &nxt);
1313	if (off < `0` \|\| m->m_pkthdr.len < off)
1314	return;
1315
1316	switch (nxt) {
1317	case IPPROTO_TCP:
1318	spidx->ul_proto = nxt;
1319	if (!needport)
1320	break;
1321	if (off + sizeof(struct tcphdr) > m->m_pkthdr.len)
1322	break;
1323	m_copydata(m, off, sizeof(th), (caddr_t)&th);
1324	((struct sockaddr_in6 *)&spidx->src)->sin6_port = th.th_sport;
1325	((struct sockaddr_in6 *)&spidx->dst)->sin6_port = th.th_dport;
1326	break;
1327	case IPPROTO_UDP:
1328	spidx->ul_proto = nxt;
1329	if (!needport)
1330	break;
1331	if (off + sizeof(struct udphdr) > m->m_pkthdr.len)
1332	break;
1333	m_copydata(m, off, sizeof(uh), (caddr_t)&uh);
1334	((struct sockaddr_in6 *)&spidx->src)->sin6_port = uh.uh_sport;
1335	((struct sockaddr_in6 *)&spidx->dst)->sin6_port = uh.uh_dport;
1336	break;
1337	case IPPROTO_ICMPV6:
1338	default:
1339	/ XXX intermediate headers??? /
1340	spidx->ul_proto = nxt;
1341	break;
1342	}
1343	}
1344
1345	/ assumes that m is sane /
1346	static int
1347	ipsec6_setspidx_ipaddr(struct mbuf *m,
1348	struct secpolicyindex *spidx)
1349	{
1350	struct ip6_hdr *ip6 = NULL;
1351	struct ip6_hdr ip6buf;
1352	struct sockaddr_in6 *sin6;
1353
1354	if (m->m_len >= sizeof(*ip6))
1355	ip6 = mtod(m, struct ip6_hdr *);
1356	else {
1357	m_copydata(m, `0`, sizeof(ip6buf), (caddr_t)&ip6buf);
1358	ip6 = &ip6buf;
1359	}
1360
1361	sin6 = (struct sockaddr_in6 *)&spidx->src;
1362	bzero(sin6, sizeof(*sin6));
1363	sin6->sin6_family = AF_INET6;
1364	sin6->sin6_len = sizeof(struct sockaddr_in6);
1365	bcopy(&ip6->ip6_src, &sin6->sin6_addr, sizeof(ip6->ip6_src));
1366	if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
1367	sin6->sin6_addr.s6_addr16[`1`] = `0`;
1368	sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[`1`]);
1369	}
1370	spidx->prefs = sizeof(struct in6_addr) << `3`;
1371
1372	sin6 = (struct sockaddr_in6 *)&spidx->dst;
1373	bzero(sin6, sizeof(*sin6));
1374	sin6->sin6_family = AF_INET6;
1375	sin6->sin6_len = sizeof(struct sockaddr_in6);
1376	bcopy(&ip6->ip6_dst, &sin6->sin6_addr, sizeof(ip6->ip6_dst));
1377	if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
1378	sin6->sin6_addr.s6_addr16[`1`] = `0`;
1379	sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[`1`]);
1380	}
1381	spidx->prefd = sizeof(struct in6_addr) << `3`;
1382
1383	return `0`;
1384	}
1385	#endif
1386
1387	static struct inpcbpolicy *
1388	ipsec_newpcbpolicy(void)
1389	{
1390	struct inpcbpolicy *p;
1391
1392	p = (struct inpcbpolicy )_MALLOC(sizeof(p), M_SECA, M_WAITOK);
1393	return p;
1394	}
1395
1396	static void
1397	ipsec_delpcbpolicy(struct inpcbpolicy *p)
1398	{
1399	FREE(p, M_SECA);
1400	}
1401
1402	/ initialize policy in PCB /
1403	int
1404	ipsec_init_policy(struct socket *so,
1405	struct inpcbpolicy **pcb_sp)
1406	{
1407	struct inpcbpolicy *new;
1408
1409	/ sanity check. /
1410	if (so == NULL \|\| pcb_sp == NULL)
1411	panic("ipsec_init_policy: NULL pointer was passed.\n");
1412
1413	new = ipsec_newpcbpolicy();
1414	if (new == NULL) {
1415	ipseclog((LOG_DEBUG, "ipsec_init_policy: No more memory.\n"));
1416	return ENOBUFS;
1417	}
1418	bzero(new, sizeof(*new));
1419
1420	#ifdef __APPLE__
1421	if (kauth_cred_issuser(so->so_cred))
1422	#else
1423	if (so->so_cred != `0` && !suser(so->so_cred->pc_ucred, NULL))
1424	#endif
1425	new->priv = `1`;
1426	else
1427	new->priv = `0`;
1428
1429	if ((new->sp_in = key_newsp()) == NULL) {
1430	ipsec_delpcbpolicy(new);
1431	return ENOBUFS;
1432	}
1433	new->sp_in->state = IPSEC_SPSTATE_ALIVE;
1434	new->sp_in->policy = IPSEC_POLICY_ENTRUST;
1435
1436	if ((new->sp_out = key_newsp()) == NULL) {
1437	key_freesp(new->sp_in, KEY_SADB_UNLOCKED);
1438	ipsec_delpcbpolicy(new);
1439	return ENOBUFS;
1440	}
1441	new->sp_out->state = IPSEC_SPSTATE_ALIVE;
1442	new->sp_out->policy = IPSEC_POLICY_ENTRUST;
1443
1444	*pcb_sp = new;
1445
1446	return `0`;
1447	}
1448
1449	/ copy old ipsec policy into new /
1450	int
1451	ipsec_copy_policy(struct inpcbpolicy *old,
1452	struct inpcbpolicy *new)
1453	{
1454	struct secpolicy *sp;
1455
1456	if (ipsec_bypass != `0`)
1457	return `0`;
1458
1459	sp = ipsec_deepcopy_policy(old->sp_in);
1460	if (sp) {
1461	key_freesp(new->sp_in, KEY_SADB_UNLOCKED);
1462	new->sp_in = sp;
1463	} else
1464	return ENOBUFS;
1465
1466	sp = ipsec_deepcopy_policy(old->sp_out);
1467	if (sp) {
1468	key_freesp(new->sp_out, KEY_SADB_UNLOCKED);
1469	new->sp_out = sp;
1470	} else
1471	return ENOBUFS;
1472
1473	new->priv = old->priv;
1474
1475	return `0`;
1476	}
1477
1478	/ deep-copy a policy in PCB /
1479	static struct secpolicy *
1480	ipsec_deepcopy_policy(struct secpolicy *src)
1481	{
1482	struct ipsecrequest *newchain = NULL;
1483	struct ipsecrequest *p;
1484	struct ipsecrequest **q;
1485	struct ipsecrequest *r;
1486	struct secpolicy *dst;
1487
1488	if (src == NULL)
1489	return NULL;
1490	dst = key_newsp();
1491	if (dst == NULL)
1492	return NULL;
1493
1494	/*
1495	* deep-copy IPsec request chain. This is required since struct
1496	* ipsecrequest is not reference counted.
1497	*/
1498	q = &newchain;
1499	for (p = src->req; p; p = p->next) {
1500	q = (struct* ipsecrequest )_MALLOC(sizeof(struct* ipsecrequest),
1501	M_SECA, M_WAITOK \| M_ZERO);
1502	if (*q == NULL)
1503	goto fail;
1504	(*q)->next = NULL;
1505
1506	(*q)->saidx.proto = p->saidx.proto;
1507	(*q)->saidx.mode = p->saidx.mode;
1508	(*q)->level = p->level;
1509	(*q)->saidx.reqid = p->saidx.reqid;
1510
1511	bcopy(&p->saidx.src, &(q)->saidx.src, sizeof((q)->saidx.src));
1512	bcopy(&p->saidx.dst, &(q)->saidx.dst, sizeof((q)->saidx.dst));
1513
1514	(*q)->sp = dst;
1515
1516	q = &((*q)->next);
1517	}
1518
1519	dst->req = newchain;
1520	dst->state = src->state;
1521	dst->policy = src->policy;
1522	/ do not touch the refcnt fields /
1523
1524	return dst;
1525
1526	fail:
1527	for (p = newchain; p; p = r) {
1528	r = p->next;
1529	FREE(p, M_SECA);
1530	p = NULL;
1531	}
1532	key_freesp(dst, KEY_SADB_UNLOCKED);
1533	return NULL;
1534	}
1535
1536	/ set policy and ipsec request if present. /
1537	static int
1538	ipsec_set_policy(struct secpolicy **pcb_sp,
1539	__unused int optname,
1540	caddr_t request,
1541	size_t len,
1542	int priv)
1543	{
1544	struct sadb_x_policy *xpl;
1545	struct secpolicy *newsp = NULL;
1546	int error;
1547
1548	/ sanity check. /
1549	if (pcb_sp == NULL \|\| *pcb_sp == NULL \|\| request == NULL)
1550	return EINVAL;
1551	if (len < sizeof(*xpl))
1552	return EINVAL;
1553	xpl = (struct sadb_x_policy )(void* *)request;
1554
1555	KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1556	printf("ipsec_set_policy: passed policy\n");
1557	kdebug_sadb_x_policy((struct sadb_ext *)xpl));
1558
1559	/ check policy type /
1560	/ ipsec_set_policy() accepts IPSEC, ENTRUST and BYPASS. /
1561	if (xpl->sadb_x_policy_type == IPSEC_POLICY_DISCARD
1562	\|\| xpl->sadb_x_policy_type == IPSEC_POLICY_NONE)
1563	return EINVAL;
1564
1565	/ check privileged socket /
1566	if (priv == `0` && xpl->sadb_x_policy_type == IPSEC_POLICY_BYPASS)
1567	return EACCES;
1568
1569	/ allocation new SP entry /
1570	if ((newsp = key_msg2sp(xpl, len, &error)) == NULL)
1571	return error;
1572
1573	newsp->state = IPSEC_SPSTATE_ALIVE;
1574
1575	/ clear old SP and set new SP /
1576	key_freesp(*pcb_sp, KEY_SADB_UNLOCKED);
1577	*pcb_sp = newsp;
1578	KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1579	printf("ipsec_set_policy: new policy\n");
1580	kdebug_secpolicy(newsp));
1581
1582	return `0`;
1583	}
1584
1585	int
1586	ipsec4_set_policy(struct inpcb *inp,
1587	int optname,
1588	caddr_t request,
1589	size_t len,
1590	int priv)
1591	{
1592	struct sadb_x_policy *xpl;
1593	struct secpolicy **pcb_sp;
1594	int error = `0`;
1595	struct sadb_x_policy xpl_aligned_buf;
1596	u_int8_t *xpl_unaligned;
1597
1598	/ sanity check. /
1599	if (inp == NULL \|\| request == NULL)
1600	return EINVAL;
1601	if (len < sizeof(*xpl))
1602	return EINVAL;
1603	xpl = (struct sadb_x_policy )(void* *)request;
1604
1605	/ This is a new mbuf allocated by soopt_getm() /
1606	if (IPSEC_IS_P2ALIGNED(xpl)) {
1607	xpl_unaligned = NULL;
1608	} else {
1609	xpl_unaligned = (__typeof__(xpl_unaligned))xpl;
1610	memcpy(&xpl_aligned_buf, xpl, sizeof(xpl_aligned_buf));
1611	xpl = (__typeof__(xpl))&xpl_aligned_buf;
1612	}
1613
1614	if (inp->inp_sp == NULL) {
1615	error = ipsec_init_policy(inp->inp_socket, &inp->inp_sp);
1616	if (error)
1617	return error;
1618	}
1619
1620	/ select direction /
1621	switch (xpl->sadb_x_policy_dir) {
1622	case IPSEC_DIR_INBOUND:
1623	pcb_sp = &inp->inp_sp->sp_in;
1624	break;
1625	case IPSEC_DIR_OUTBOUND:
1626	pcb_sp = &inp->inp_sp->sp_out;
1627	break;
1628	default:
1629	ipseclog((LOG_ERR, "ipsec4_set_policy: invalid direction=%u\n",
1630	xpl->sadb_x_policy_dir));
1631	return EINVAL;
1632	}
1633
1634	/ turn bypass off /
1635	if (ipsec_bypass != `0`)
1636	ipsec_bypass = `0`;
1637
1638	return ipsec_set_policy(pcb_sp, optname, request, len, priv);
1639	}
1640
1641	/ delete policy in PCB /
1642	int
1643	ipsec4_delete_pcbpolicy(struct inpcb *inp)
1644	{
1645
1646	/ sanity check. /
1647	if (inp == NULL)
1648	panic("ipsec4_delete_pcbpolicy: NULL pointer was passed.\n");
1649
1650	if (inp->inp_sp == NULL)
1651	return `0`;
1652
1653	if (inp->inp_sp->sp_in != NULL) {
1654	key_freesp(inp->inp_sp->sp_in, KEY_SADB_UNLOCKED);
1655	inp->inp_sp->sp_in = NULL;
1656	}
1657
1658	if (inp->inp_sp->sp_out != NULL) {
1659	key_freesp(inp->inp_sp->sp_out, KEY_SADB_UNLOCKED);
1660	inp->inp_sp->sp_out = NULL;
1661	}
1662
1663	ipsec_delpcbpolicy(inp->inp_sp);
1664	inp->inp_sp = NULL;
1665
1666	return `0`;
1667	}
1668
1669	#if INET6
1670	int
1671	ipsec6_set_policy(struct in6pcb *in6p,
1672	int optname,
1673	caddr_t request,
1674	size_t len,
1675	int priv)
1676	{
1677	struct sadb_x_policy *xpl;
1678	struct secpolicy **pcb_sp;
1679	int error = `0`;
1680	struct sadb_x_policy xpl_aligned_buf;
1681	u_int8_t *xpl_unaligned;
1682
1683	/ sanity check. /
1684	if (in6p == NULL \|\| request == NULL)
1685	return EINVAL;
1686	if (len < sizeof(*xpl))
1687	return EINVAL;
1688	xpl = (struct sadb_x_policy )(void* *)request;
1689
1690	/ This is a new mbuf allocated by soopt_getm() /
1691	if (IPSEC_IS_P2ALIGNED(xpl)) {
1692	xpl_unaligned = NULL;
1693	} else {
1694	xpl_unaligned = (__typeof__(xpl_unaligned))xpl;
1695	memcpy(&xpl_aligned_buf, xpl, sizeof(xpl_aligned_buf));
1696	xpl = (__typeof__(xpl))&xpl_aligned_buf;
1697	}
1698
1699	if (in6p->in6p_sp == NULL) {
1700	error = ipsec_init_policy(in6p->inp_socket, &in6p->in6p_sp);
1701	if (error)
1702	return error;
1703	}
1704
1705	/ select direction /
1706	switch (xpl->sadb_x_policy_dir) {
1707	case IPSEC_DIR_INBOUND:
1708	pcb_sp = &in6p->in6p_sp->sp_in;
1709	break;
1710	case IPSEC_DIR_OUTBOUND:
1711	pcb_sp = &in6p->in6p_sp->sp_out;
1712	break;
1713	default:
1714	ipseclog((LOG_ERR, "ipsec6_set_policy: invalid direction=%u\n",
1715	xpl->sadb_x_policy_dir));
1716	return EINVAL;
1717	}
1718
1719	return ipsec_set_policy(pcb_sp, optname, request, len, priv);
1720	}
1721
1722	int
1723	ipsec6_delete_pcbpolicy(struct in6pcb *in6p)
1724	{
1725
1726	/ sanity check. /
1727	if (in6p == NULL)
1728	panic("ipsec6_delete_pcbpolicy: NULL pointer was passed.\n");
1729
1730	if (in6p->in6p_sp == NULL)
1731	return `0`;
1732
1733	if (in6p->in6p_sp->sp_in != NULL) {
1734	key_freesp(in6p->in6p_sp->sp_in, KEY_SADB_UNLOCKED);
1735	in6p->in6p_sp->sp_in = NULL;
1736	}
1737
1738	if (in6p->in6p_sp->sp_out != NULL) {
1739	key_freesp(in6p->in6p_sp->sp_out, KEY_SADB_UNLOCKED);
1740	in6p->in6p_sp->sp_out = NULL;
1741	}
1742
1743	ipsec_delpcbpolicy(in6p->in6p_sp);
1744	in6p->in6p_sp = NULL;
1745
1746	return `0`;
1747	}
1748	#endif
1749
1750	/*
1751	* return current level.
1752	* Either IPSEC_LEVEL_USE or IPSEC_LEVEL_REQUIRE are always returned.
1753	*/
1754	u_int
1755	ipsec_get_reqlevel(struct ipsecrequest *isr)
1756	{
1757	u_int level = `0`;
1758	u_int esp_trans_deflev = `0`, esp_net_deflev = `0`, ah_trans_deflev = `0`, ah_net_deflev = `0`;
1759
1760	/ sanity check /
1761	if (isr == NULL \|\| isr->sp == NULL)
1762	panic("ipsec_get_reqlevel: NULL pointer is passed.\n");
1763	if (((struct sockaddr *)&isr->sp->spidx.src)->sa_family
1764	!= ((struct sockaddr *)&isr->sp->spidx.dst)->sa_family)
1765	panic("ipsec_get_reqlevel: family mismatched.\n");
1766
1767	/ XXX note that we have ipseclog() expanded here - code sync issue /
1768	#define IPSEC_CHECK_DEFAULT(lev) \
1769	(((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \
1770	&& (lev) != IPSEC_LEVEL_UNIQUE) \
1771	? (ipsec_debug \
1772	? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\
1773	(lev), IPSEC_LEVEL_REQUIRE) \
1774	: (void)0), \
1775	(lev) = IPSEC_LEVEL_REQUIRE, \
1776	(lev) \
1777	: (lev))
1778
1779	/ set default level /
1780	switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) {
1781	#if INET
1782	case AF_INET:
1783	esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev);
1784	esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev);
1785	ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev);
1786	ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev);
1787	break;
1788	#endif
1789	#if INET6
1790	case AF_INET6:
1791	esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev);
1792	esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev);
1793	ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev);
1794	ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev);
1795	break;
1796	#endif /* INET6 */
1797	default:
1798	panic("key_get_reqlevel: Unknown family. %d\n",
1799	((struct sockaddr *)&isr->sp->spidx.src)->sa_family);
1800	}
1801
1802	#undef IPSEC_CHECK_DEFAULT
1803
1804	/ set level /
1805	switch (isr->level) {
1806	case IPSEC_LEVEL_DEFAULT:
1807	switch (isr->saidx.proto) {
1808	case IPPROTO_ESP:
1809	if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1810	level = esp_net_deflev;
1811	else
1812	level = esp_trans_deflev;
1813	break;
1814	case IPPROTO_AH:
1815	if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
1816	level = ah_net_deflev;
1817	else
1818	level = ah_trans_deflev;
1819	break;
1820	case IPPROTO_IPCOMP:
1821	/*
1822	* we don't really care, as IPcomp document says that
1823	* we shouldn't compress small packets
1824	*/
1825	level = IPSEC_LEVEL_USE;
1826	break;
1827	default:
1828	panic("ipsec_get_reqlevel: "
1829	"Illegal protocol defined %u\n",
1830	isr->saidx.proto);
1831	}
1832	break;
1833
1834	case IPSEC_LEVEL_USE:
1835	case IPSEC_LEVEL_REQUIRE:
1836	level = isr->level;
1837	break;
1838	case IPSEC_LEVEL_UNIQUE:
1839	level = IPSEC_LEVEL_REQUIRE;
1840	break;
1841
1842	default:
1843	panic("ipsec_get_reqlevel: Illegal IPsec level %u\n",
1844	isr->level);
1845	}
1846
1847	return level;
1848	}
1849
1850	/*
1851	* Check AH/ESP integrity.
1852	* OUT:
1853	* 0: valid
1854	* 1: invalid
1855	*/
1856	static int
1857	ipsec_in_reject(struct secpolicy sp, struct* mbuf *m)
1858	{
1859	struct ipsecrequest *isr;
1860	u_int level;
1861	int need_auth, need_conf, need_icv;
1862
1863	KEYDEBUG(KEYDEBUG_IPSEC_DATA,
1864	printf("ipsec_in_reject: using SP\n");
1865	kdebug_secpolicy(sp));
1866
1867	/ check policy /
1868	switch (sp->policy) {
1869	case IPSEC_POLICY_DISCARD:
1870	case IPSEC_POLICY_GENERATE:
1871	return `1`;
1872	case IPSEC_POLICY_BYPASS:
1873	case IPSEC_POLICY_NONE:
1874	return `0`;
1875
1876	case IPSEC_POLICY_IPSEC:
1877	break;
1878
1879	case IPSEC_POLICY_ENTRUST:
1880	default:
1881	panic("ipsec_hdrsiz: Invalid policy found. %d\n", sp->policy);
1882	}
1883
1884	need_auth = `0`;
1885	need_conf = `0`;
1886	need_icv = `0`;
1887
1888	/ XXX should compare policy against ipsec header history /
1889
1890	for (isr = sp->req; isr != NULL; isr = isr->next) {
1891
1892	/ get current level /
1893	level = ipsec_get_reqlevel(isr);
1894
1895	switch (isr->saidx.proto) {
1896	case IPPROTO_ESP:
1897	if (level == IPSEC_LEVEL_REQUIRE) {
1898	need_conf++;
1899
1900	#if 0
1901	/ this won't work with multiple input threads - isr->sav would change*
1902	* with every packet and is not necessarily related to the current packet
1903	* being processed. If ESP processing is required - the esp code should
1904	* make sure that the integrity check is present and correct. I don't see
1905	* why it would be necessary to check for the presence of the integrity
1906	* check value here. I think this is just wrong.
1907	* isr->sav has been removed.
1908	* %%%%%% this needs to be re-worked at some point but I think the code below can
1909	* be ignored for now.
1910	*/
1911	if (isr->sav != NULL
1912	&& isr->sav->flags == SADB_X_EXT_NONE
1913	&& isr->sav->alg_auth != SADB_AALG_NONE)
1914	need_icv++;
1915	#endif
1916	}
1917	break;
1918	case IPPROTO_AH:
1919	if (level == IPSEC_LEVEL_REQUIRE) {
1920	need_auth++;
1921	need_icv++;
1922	}
1923	break;
1924	case IPPROTO_IPCOMP:
1925	/*
1926	* we don't really care, as IPcomp document says that
1927	* we shouldn't compress small packets, IPComp policy
1928	* should always be treated as being in "use" level.
1929	*/
1930	break;
1931	}
1932	}
1933
1934	KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
1935	printf("ipsec_in_reject: auth:%d conf:%d icv:%d m_flags:%x\n",
1936	need_auth, need_conf, need_icv, m->m_flags));
1937
1938	if ((need_conf && !(m->m_flags & M_DECRYPTED))
1939	\|\| (!need_auth && need_icv && !(m->m_flags & M_AUTHIPDGM))
1940	\|\| (need_auth && !(m->m_flags & M_AUTHIPHDR)))
1941	return `1`;
1942
1943	return `0`;
1944	}
1945
1946	/*
1947	* Check AH/ESP integrity.
1948	* This function is called from tcp_input(), udp_input(),
1949	* and {ah,esp}4_input for tunnel mode
1950	*/
1951	int
1952	ipsec4_in_reject_so(struct mbuf m, struct* socket *so)
1953	{
1954	struct secpolicy *sp = NULL;
1955	int error;
1956	int result;
1957
1958	LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
1959	/ sanity check /
1960	if (m == NULL)
1961	return `0`; / XXX should be panic ? /
1962
1963	/ get SP for this packet.*
1964	* When we are called from ip_forward(), we call
1965	* ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
1966	*/
1967	if (so == NULL)
1968	sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
1969	else
1970	sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, `0`, &error);
1971
1972	if (sp == NULL)
1973	return `0`; / XXX should be panic ?*
1974	* -> No, there may be error. */
1975
1976	result = ipsec_in_reject(sp, m);
1977	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
1978	printf("DP ipsec4_in_reject_so call free SP:0x%llx\n",
1979	(uint64_t)VM_KERNEL_ADDRPERM(sp)));
1980	key_freesp(sp, KEY_SADB_UNLOCKED);
1981
1982	return result;
1983	}
1984
1985	int
1986	ipsec4_in_reject(struct mbuf m, struct* inpcb *inp)
1987	{
1988	LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
1989	if (inp == NULL)
1990	return ipsec4_in_reject_so(m, NULL);
1991	if (inp->inp_socket)
1992	return ipsec4_in_reject_so(m, inp->inp_socket);
1993	else
1994	panic("ipsec4_in_reject: invalid inpcb/socket");
1995
1996	/ NOTREACHED /
1997	return `0`;
1998	}
1999
2000	#if INET6
2001	/*
2002	* Check AH/ESP integrity.
2003	* This function is called from tcp6_input(), udp6_input(),
2004	* and {ah,esp}6_input for tunnel mode
2005	*/
2006	int
2007	ipsec6_in_reject_so(struct mbuf m, struct* socket *so)
2008	{
2009	struct secpolicy *sp = NULL;
2010	int error;
2011	int result;
2012
2013	LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
2014	/ sanity check /
2015	if (m == NULL)
2016	return `0`; / XXX should be panic ? /
2017
2018	/ get SP for this packet.*
2019	* When we are called from ip_forward(), we call
2020	* ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
2021	*/
2022	if (so == NULL)
2023	sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
2024	else
2025	sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, `0`, &error);
2026
2027	if (sp == NULL)
2028	return `0`; / XXX should be panic ? /
2029
2030	result = ipsec_in_reject(sp, m);
2031	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2032	printf("DP ipsec6_in_reject_so call free SP:0x%llx\n",
2033	(uint64_t)VM_KERNEL_ADDRPERM(sp)));
2034	key_freesp(sp, KEY_SADB_UNLOCKED);
2035
2036	return result;
2037	}
2038
2039	int
2040	ipsec6_in_reject(struct mbuf m, struct* in6pcb *in6p)
2041	{
2042
2043	LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
2044	if (in6p == NULL)
2045	return ipsec6_in_reject_so(m, NULL);
2046	if (in6p->in6p_socket)
2047	return ipsec6_in_reject_so(m, in6p->in6p_socket);
2048	else
2049	panic("ipsec6_in_reject: invalid in6p/socket");
2050
2051	/ NOTREACHED /
2052	return `0`;
2053	}
2054	#endif
2055
2056	/*
2057	* compute the byte size to be occupied by IPsec header.
2058	* in case it is tunneled, it includes the size of outer IP header.
2059	* NOTE: SP passed is free in this function.
2060	*/
2061	size_t
2062	ipsec_hdrsiz(struct secpolicy *sp)
2063	{
2064	struct ipsecrequest *isr;
2065	size_t siz, clen;
2066
2067	LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
2068	KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2069	printf("ipsec_hdrsiz: using SP\n");
2070	kdebug_secpolicy(sp));
2071
2072	/ check policy /
2073	switch (sp->policy) {
2074	case IPSEC_POLICY_DISCARD:
2075	case IPSEC_POLICY_GENERATE:
2076	case IPSEC_POLICY_BYPASS:
2077	case IPSEC_POLICY_NONE:
2078	return `0`;
2079
2080	case IPSEC_POLICY_IPSEC:
2081	break;
2082
2083	case IPSEC_POLICY_ENTRUST:
2084	default:
2085	panic("ipsec_hdrsiz: Invalid policy found. %d\n", sp->policy);
2086	}
2087
2088	siz = `0`;
2089
2090	for (isr = sp->req; isr != NULL; isr = isr->next) {
2091
2092	clen = `0`;
2093
2094	switch (isr->saidx.proto) {
2095	case IPPROTO_ESP:
2096	#if IPSEC_ESP
2097	clen = esp_hdrsiz(isr);
2098	#else
2099	clen = `0`; /XXX/
2100	#endif
2101	break;
2102	case IPPROTO_AH:
2103	clen = ah_hdrsiz(isr);
2104	break;
2105	case IPPROTO_IPCOMP:
2106	clen = sizeof(struct ipcomp);
2107	break;
2108	}
2109
2110	if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
2111	switch (((struct sockaddr *)&isr->saidx.dst)->sa_family) {
2112	case AF_INET:
2113	clen += sizeof(struct ip);
2114	break;
2115	#if INET6
2116	case AF_INET6:
2117	clen += sizeof(struct ip6_hdr);
2118	break;
2119	#endif
2120	default:
2121	ipseclog((LOG_ERR, "ipsec_hdrsiz: "
2122	"unknown AF %d in IPsec tunnel SA\n",
2123	((struct sockaddr *)&isr->saidx.dst)->sa_family));
2124	break;
2125	}
2126	}
2127	siz += clen;
2128	}
2129
2130	return siz;
2131	}
2132
2133	/ This function is called from ip_forward() and ipsec4_hdrsize_tcp(). /
2134	size_t
2135	ipsec4_hdrsiz(struct mbuf m, u_int dir, struct* inpcb *inp)
2136	{
2137	struct secpolicy *sp = NULL;
2138	int error;
2139	size_t size;
2140
2141	LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
2142	/ sanity check /
2143	if (m == NULL)
2144	return `0`; / XXX should be panic ? /
2145	if (inp != NULL && inp->inp_socket == NULL)
2146	panic("ipsec4_hdrsize: why is socket NULL but there is PCB.");
2147
2148	/ get SP for this packet.*
2149	* When we are called from ip_forward(), we call
2150	* ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
2151	*/
2152	if (inp == NULL)
2153	sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
2154	else
2155	sp = ipsec4_getpolicybyaddr(m, dir, `0`, &error);
2156
2157	if (sp == NULL)
2158	return `0`; / XXX should be panic ? /
2159
2160	size = ipsec_hdrsiz(sp);
2161	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2162	printf("DP ipsec4_hdrsiz call free SP:0x%llx\n",
2163	(uint64_t)VM_KERNEL_ADDRPERM(sp)));
2164	KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2165	printf("ipsec4_hdrsiz: size:%lu.\n", (u_int32_t)size));
2166	key_freesp(sp, KEY_SADB_UNLOCKED);
2167
2168	return size;
2169	}
2170
2171	#if INET6
2172	/ This function is called from ipsec6_hdrsize_tcp(),*
2173	* and maybe from ip6_forward.()
2174	*/
2175	size_t
2176	ipsec6_hdrsiz(struct mbuf m, u_int dir, struct* in6pcb *in6p)
2177	{
2178	struct secpolicy *sp = NULL;
2179	int error;
2180	size_t size;
2181
2182	LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
2183	/ sanity check /
2184	if (m == NULL)
2185	return `0`; / XXX shoud be panic ? /
2186	if (in6p != NULL && in6p->in6p_socket == NULL)
2187	panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
2188
2189	/ get SP for this packet /
2190	/ XXX Is it right to call with IP_FORWARDING. /
2191	if (in6p == NULL)
2192	sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
2193	else
2194	sp = ipsec6_getpolicybyaddr(m, dir, `0`, &error);
2195
2196	if (sp == NULL)
2197	return `0`;
2198	size = ipsec_hdrsiz(sp);
2199	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
2200	printf("DP ipsec6_hdrsiz call free SP:0x%llx\n",
2201	(uint64_t)VM_KERNEL_ADDRPERM(sp)));
2202	KEYDEBUG(KEYDEBUG_IPSEC_DATA,
2203	printf("ipsec6_hdrsiz: size:%lu.\n", (u_int32_t)size));
2204	key_freesp(sp, KEY_SADB_UNLOCKED);
2205
2206	return size;
2207	}
2208	#endif /INET6/
2209
2210	#if INET
2211	/*
2212	* encapsulate for ipsec tunnel.
2213	* ip->ip_src must be fixed later on.
2214	*/
2215	int
2216	ipsec4_encapsulate(struct mbuf m, struct* secasvar *sav)
2217	{
2218	struct ip *oip;
2219	struct ip *ip;
2220	size_t hlen;
2221	size_t plen;
2222
2223	/ can't tunnel between different AFs /
2224	if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2225	!= ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2226	\|\| ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
2227	m_freem(m);
2228	return EINVAL;
2229	}
2230	#if 0
2231	/ XXX if the dst is myself, perform nothing. /
2232	if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2233	m_freem(m);
2234	return EINVAL;
2235	}
2236	#endif
2237
2238	if (m->m_len < sizeof(*ip))
2239	panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2240
2241	ip = mtod(m, struct ip *);
2242	#ifdef _IP_VHL
2243	hlen = _IP_VHL_HL(ip->ip_vhl) << `2`;
2244	#else
2245	hlen = ip->ip_hl << `2`;
2246	#endif
2247
2248	if (m->m_len != hlen)
2249	panic("ipsec4_encapsulate: assumption failed (first mbuf length)");
2250
2251	/ generate header checksum /
2252	ip->ip_sum = `0`;
2253	#ifdef _IP_VHL
2254	ip->ip_sum = in_cksum(m, hlen);
2255	#else
2256	ip->ip_sum = in_cksum(m, hlen);
2257	#endif
2258
2259	plen = m->m_pkthdr.len;
2260
2261	/*
2262	* grow the mbuf to accomodate the new IPv4 header.
2263	* NOTE: IPv4 options will never be copied.
2264	*/
2265	if (M_LEADINGSPACE(m->m_next) < hlen) {
2266	struct mbuf *n;
2267	MGET(n, M_DONTWAIT, MT_DATA);
2268	if (!n) {
2269	m_freem(m);
2270	return ENOBUFS;
2271	}
2272	n->m_len = hlen;
2273	n->m_next = m->m_next;
2274	m->m_next = n;
2275	m->m_pkthdr.len += hlen;
2276	oip = mtod(n, struct ip *);
2277	} else {
2278	m->m_next->m_len += hlen;
2279	m->m_next->m_data -= hlen;
2280	m->m_pkthdr.len += hlen;
2281	oip = mtod(m->m_next, struct ip *);
2282	}
2283	ip = mtod(m, struct ip *);
2284	ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
2285	m->m_len = sizeof(struct ip);
2286	m->m_pkthdr.len -= (hlen - sizeof(struct ip));
2287
2288	/ construct new IPv4 header. see RFC 2401 5.1.2.1 /
2289	/ ECN consideration. /
2290	ip_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &oip->ip_tos);
2291	#ifdef _IP_VHL
2292	ip->ip_vhl = IP_MAKE_VHL(IPVERSION, sizeof(struct ip) >> `2`);
2293	#else
2294	ip->ip_hl = sizeof(struct ip) >> `2`;
2295	#endif
2296	ip->ip_off &= htons(~IP_OFFMASK);
2297	ip->ip_off &= htons(~IP_MF);
2298	switch (ip4_ipsec_dfbit) {
2299	case `0`: / clear DF bit /
2300	ip->ip_off &= htons(~IP_DF);
2301	break;
2302	case `1`: / set DF bit /
2303	ip->ip_off \|= htons(IP_DF);
2304	break;
2305	default: / copy DF bit /
2306	break;
2307	}
2308	ip->ip_p = IPPROTO_IPIP;
2309	if (plen + sizeof(struct ip) < IP_MAXPACKET)
2310	ip->ip_len = htons(plen + sizeof(struct ip));
2311	else {
2312	ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
2313	"leave ip_len as is (invalid packet)\n"));
2314	}
2315	if (rfc6864 && IP_OFF_IS_ATOMIC(ntohs(ip->ip_off))) {
2316	ip->ip_id = `0`;
2317	} else {
2318	ip->ip_id = ip_randomid();
2319	}
2320	bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
2321	&ip->ip_src, sizeof(ip->ip_src));
2322	bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
2323	&ip->ip_dst, sizeof(ip->ip_dst));
2324	ip->ip_ttl = IPDEFTTL;
2325
2326	/ XXX Should ip_src be updated later ? /
2327
2328	return `0`;
2329	}
2330
2331	#endif /INET/
2332
2333	#if INET6
2334	int
2335	ipsec6_encapsulate(struct mbuf m, struct* secasvar *sav)
2336	{
2337	struct ip6_hdr *oip6;
2338	struct ip6_hdr *ip6;
2339	size_t plen;
2340
2341	/ can't tunnel between different AFs /
2342	if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2343	!= ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2344	\|\| ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2345	m_freem(m);
2346	return EINVAL;
2347	}
2348	#if 0
2349	/ XXX if the dst is myself, perform nothing. /
2350	if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2351	m_freem(m);
2352	return EINVAL;
2353	}
2354	#endif
2355
2356	plen = m->m_pkthdr.len;
2357
2358	/*
2359	* grow the mbuf to accomodate the new IPv6 header.
2360	*/
2361	if (m->m_len != sizeof(struct ip6_hdr))
2362	panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2363	if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
2364	struct mbuf *n;
2365	MGET(n, M_DONTWAIT, MT_DATA);
2366	if (!n) {
2367	m_freem(m);
2368	return ENOBUFS;
2369	}
2370	n->m_len = sizeof(struct ip6_hdr);
2371	n->m_next = m->m_next;
2372	m->m_next = n;
2373	m->m_pkthdr.len += sizeof(struct ip6_hdr);
2374	oip6 = mtod(n, struct ip6_hdr *);
2375	} else {
2376	m->m_next->m_len += sizeof(struct ip6_hdr);
2377	m->m_next->m_data -= sizeof(struct ip6_hdr);
2378	m->m_pkthdr.len += sizeof(struct ip6_hdr);
2379	oip6 = mtod(m->m_next, struct ip6_hdr *);
2380	}
2381	ip6 = mtod(m, struct ip6_hdr *);
2382	ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
2383
2384	/ Fake link-local scope-class addresses /
2385	if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_src))
2386	oip6->ip6_src.s6_addr16[`1`] = `0`;
2387	if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_dst))
2388	oip6->ip6_dst.s6_addr16[`1`] = `0`;
2389
2390	/ construct new IPv6 header. see RFC 2401 5.1.2.2 /
2391	/ ECN consideration. /
2392	ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
2393	if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
2394	ip6->ip6_plen = htons(plen);
2395	else {
2396	/ ip6->ip6_plen will be updated in ip6_output() /
2397	}
2398	ip6->ip6_nxt = IPPROTO_IPV6;
2399	bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr,
2400	&ip6->ip6_src, sizeof(ip6->ip6_src));
2401	bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr,
2402	&ip6->ip6_dst, sizeof(ip6->ip6_dst));
2403	ip6->ip6_hlim = IPV6_DEFHLIM;
2404
2405	/ XXX Should ip6_src be updated later ? /
2406
2407	return `0`;
2408	}
2409
2410	static int
2411	ipsec64_encapsulate(struct mbuf m, struct* secasvar *sav)
2412	{
2413	struct ip6_hdr ip6, ip6i;
2414	struct ip *ip;
2415	size_t plen;
2416	u_int8_t hlim;
2417
2418	/ tunneling over IPv4 /
2419	if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2420	!= ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2421	\|\| ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET) {
2422	m_freem(m);
2423	return EINVAL;
2424	}
2425	#if 0
2426	/ XXX if the dst is myself, perform nothing. /
2427	if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2428	m_freem(m);
2429	return EINVAL;
2430	}
2431	#endif
2432
2433	plen = m->m_pkthdr.len;
2434	ip6 = mtod(m, struct ip6_hdr *);
2435	hlim = ip6->ip6_hlim;
2436	/*
2437	* grow the mbuf to accomodate the new IPv4 header.
2438	*/
2439	if (m->m_len != sizeof(struct ip6_hdr))
2440	panic("ipsec6_encapsulate: assumption failed (first mbuf length)");
2441	if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
2442	struct mbuf *n;
2443	MGET(n, M_DONTWAIT, MT_DATA);
2444	if (!n) {
2445	m_freem(m);
2446	return ENOBUFS;
2447	}
2448	n->m_len = sizeof(struct ip6_hdr);
2449	n->m_next = m->m_next;
2450	m->m_next = n;
2451	m->m_pkthdr.len += sizeof(struct ip);
2452	ip6i = mtod(n, struct ip6_hdr *);
2453	} else {
2454	m->m_next->m_len += sizeof(struct ip6_hdr);
2455	m->m_next->m_data -= sizeof(struct ip6_hdr);
2456	m->m_pkthdr.len += sizeof(struct ip);
2457	ip6i = mtod(m->m_next, struct ip6_hdr *);
2458	}
2459
2460	bcopy(ip6, ip6i, sizeof(struct ip6_hdr));
2461	ip = mtod(m, struct ip *);
2462	m->m_len = sizeof(struct ip);
2463	/*
2464	* Fill in some of the IPv4 fields - we don't need all of them
2465	* because the rest will be filled in by ip_output
2466	*/
2467	ip->ip_v = IPVERSION;
2468	ip->ip_hl = sizeof(struct ip) >> `2`;
2469	ip->ip_id = `0`;
2470	ip->ip_sum = `0`;
2471	ip->ip_tos = `0`;
2472	ip->ip_off = `0`;
2473	ip->ip_ttl = hlim;
2474	ip->ip_p = IPPROTO_IPV6;
2475
2476	/ construct new IPv4 header. see RFC 2401 5.1.2.1 /
2477	/ ECN consideration. /
2478	ip64_ecn_ingress(ip4_ipsec_ecn, &ip->ip_tos, &ip6->ip6_flow);
2479
2480	if (plen + sizeof(struct ip) < IP_MAXPACKET)
2481	ip->ip_len = htons(plen + sizeof(struct ip));
2482	else {
2483	ip->ip_len = htons(plen);
2484	ipseclog((LOG_ERR, "IPv4 ipsec: size exceeds limit: "
2485	"leave ip_len as is (invalid packet)\n"));
2486	}
2487	bcopy(&((struct sockaddr_in *)&sav->sah->saidx.src)->sin_addr,
2488	&ip->ip_src, sizeof(ip->ip_src));
2489	bcopy(&((struct sockaddr_in *)&sav->sah->saidx.dst)->sin_addr,
2490	&ip->ip_dst, sizeof(ip->ip_dst));
2491
2492	return `0`;
2493	}
2494
2495	int
2496	ipsec6_update_routecache_and_output(
2497	struct ipsec_output_state *state,
2498	struct secasvar *sav)
2499	{
2500	struct sockaddr_in6* dst6;
2501	struct route_in6 *ro6;
2502	struct ip6_hdr *ip6;
2503	errno_t error = `0`;
2504
2505	int plen;
2506	struct ip6_out_args ip6oa;
2507	struct route_in6 ro6_new;
2508	struct flowadv *adv = NULL;
2509
2510	if (!state->m) {
2511	return EINVAL;
2512	}
2513	ip6 = mtod(state->m, struct ip6_hdr *);
2514
2515	// grab sadb_mutex, before updating sah's route cache
2516	lck_mtx_lock(sadb_mutex);
2517	ro6 = &sav->sah->sa_route;
2518	dst6 = (struct sockaddr_in6 )(void* *)&ro6->ro_dst;
2519	if (ro6->ro_rt) {
2520	RT_LOCK(ro6->ro_rt);
2521	}
2522	if (ROUTE_UNUSABLE(ro6) \|\|
2523	!IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst)) {
2524	if (ro6->ro_rt != NULL)
2525	RT_UNLOCK(ro6->ro_rt);
2526	ROUTE_RELEASE(ro6);
2527	}
2528	if (ro6->ro_rt == `0`) {
2529	bzero(dst6, sizeof(*dst6));
2530	dst6->sin6_family = AF_INET6;
2531	dst6->sin6_len = sizeof(*dst6);
2532	dst6->sin6_addr = ip6->ip6_dst;
2533	rtalloc_scoped((struct route *)ro6, sav->sah->outgoing_if);
2534	if (ro6->ro_rt) {
2535	RT_LOCK(ro6->ro_rt);
2536	}
2537	}
2538	if (ro6->ro_rt == `0`) {
2539	ip6stat.ip6s_noroute++;
2540	IPSEC_STAT_INCREMENT(ipsec6stat.out_noroute);
2541	error = EHOSTUNREACH;
2542	// release sadb_mutex, after updating sah's route cache
2543	lck_mtx_unlock(sadb_mutex);
2544	return error;
2545	}
2546
2547	/*
2548	* adjust state->dst if tunnel endpoint is offlink
2549	*
2550	* XXX: caching rt_gateway value in the state is
2551	* not really good, since it may point elsewhere
2552	* when the gateway gets modified to a larger
2553	* sockaddr via rt_setgate(). This is currently
2554	* addressed by SA_SIZE roundup in that routine.
2555	*/
2556	if (ro6->ro_rt->rt_flags & RTF_GATEWAY)
2557	dst6 = (struct sockaddr_in6 )(void* *)ro6->ro_rt->rt_gateway;
2558	RT_UNLOCK(ro6->ro_rt);
2559	ROUTE_RELEASE(&state->ro);
2560	route_copyout((struct route )&state->ro, (struct* route )ro6, sizeof(struct* route_in6));
2561	state->dst = (struct sockaddr *)dst6;
2562	state->tunneled = `6`;
2563	// release sadb_mutex, after updating sah's route cache
2564	lck_mtx_unlock(sadb_mutex);
2565
2566	state->m = ipsec6_splithdr(state->m);
2567	if (!state->m) {
2568	IPSEC_STAT_INCREMENT(ipsec6stat.out_nomem);
2569	error = ENOMEM;
2570	return error;
2571	}
2572
2573	ip6 = mtod(state->m, struct ip6_hdr *);
2574	switch (sav->sah->saidx.proto) {
2575	case IPPROTO_ESP:
2576	#if IPSEC_ESP
2577	error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav);
2578	#else
2579	m_freem(state->m);
2580	error = EINVAL;
2581	#endif
2582	break;
2583	case IPPROTO_AH:
2584	error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav);
2585	break;
2586	case IPPROTO_IPCOMP:
2587	/ XXX code should be here /
2588	/FALLTHROUGH/
2589	default:
2590	ipseclog((LOG_ERR, "%s: unknown ipsec protocol %d\n", __FUNCTION__, sav->sah->saidx.proto));
2591	m_freem(state->m);
2592	IPSEC_STAT_INCREMENT(ipsec6stat.out_inval);
2593	error = EINVAL;
2594	break;
2595	}
2596	if (error) {
2597	// If error, packet already freed by above output routines
2598	state->m = NULL;
2599	return error;
2600	}
2601
2602	plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
2603	if (plen > IPV6_MAXPACKET) {
2604	ipseclog((LOG_ERR, "%s: IPsec with IPv6 jumbogram is not supported\n", __FUNCTION__));
2605	IPSEC_STAT_INCREMENT(ipsec6stat.out_inval);
2606	error = EINVAL;/XXX/
2607	return error;
2608	}
2609	ip6 = mtod(state->m, struct ip6_hdr *);
2610	ip6->ip6_plen = htons(plen);
2611
2612	ipsec_set_pkthdr_for_interface(sav->sah->ipsec_if, state->m, AF_INET6);
2613	ipsec_set_ip6oa_for_interface(sav->sah->ipsec_if, &ip6oa);
2614
2615	/ Increment statistics /
2616	ifnet_stat_increment_out(sav->sah->ipsec_if, `1`, mbuf_pkthdr_len(state->m), `0`);
2617
2618	/ Send to ip6_output /
2619	bzero(&ro6_new, sizeof(ro6_new));
2620	bzero(&ip6oa, sizeof(ip6oa));
2621	ip6oa.ip6oa_flowadv.code = `0`;
2622	ip6oa.ip6oa_flags = IP6OAF_SELECT_SRCIF \| IP6OAF_BOUND_SRCADDR;
2623	if (state->outgoing_if) {
2624	ip6oa.ip6oa_boundif = state->outgoing_if;
2625	ip6oa.ip6oa_flags \|= IP6OAF_BOUND_IF;
2626	}
2627
2628	adv = &ip6oa.ip6oa_flowadv;
2629	(void) ip6_output(state->m, NULL, &ro6_new, IPV6_OUTARGS, NULL, NULL, &ip6oa);
2630	state->m = NULL;
2631
2632	if (adv->code == FADV_FLOW_CONTROLLED \|\| adv->code == FADV_SUSPENDED) {
2633	error = ENOBUFS;
2634	ifnet_disable_output(sav->sah->ipsec_if);
2635	return error;
2636	}
2637
2638	return `0`;
2639	}
2640
2641	int
2642	ipsec46_encapsulate(struct ipsec_output_state state, struct* secasvar *sav)
2643	{
2644	struct mbuf *m;
2645	struct ip6_hdr *ip6;
2646	struct ip *oip;
2647	struct ip *ip;
2648	size_t hlen;
2649	size_t plen;
2650
2651	m = state->m;
2652	if (!m) {
2653	return EINVAL;
2654	}
2655
2656	/ can't tunnel between different AFs /
2657	if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
2658	!= ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family
2659	\|\| ((struct sockaddr *)&sav->sah->saidx.src)->sa_family != AF_INET6) {
2660	m_freem(m);
2661	return EINVAL;
2662	}
2663	#if 0
2664	/ XXX if the dst is myself, perform nothing. /
2665	if (key_ismyaddr((struct sockaddr *)&sav->sah->saidx.dst)) {
2666	m_freem(m);
2667	return EINVAL;
2668	}
2669	#endif
2670
2671	if (m->m_len < sizeof(*ip)) {
2672	panic("ipsec46_encapsulate: assumption failed (first mbuf length)");
2673	return EINVAL;
2674	}
2675
2676	ip = mtod(m, struct ip *);
2677	#ifdef _IP_VHL
2678	hlen = _IP_VHL_HL(ip->ip_vhl) << `2`;
2679	#else
2680	hlen = ip->ip_hl << `2`;
2681	#endif
2682
2683	if (m->m_len != hlen) {
2684	panic("ipsec46_encapsulate: assumption failed (first mbuf length)");
2685	return EINVAL;
2686	}
2687
2688	/ generate header checksum /
2689	ip->ip_sum = `0`;
2690	#ifdef _IP_VHL
2691	ip->ip_sum = in_cksum(m, hlen);
2692	#else
2693	ip->ip_sum = in_cksum(m, hlen);
2694	#endif
2695
2696	plen = m->m_pkthdr.len; // save original IPv4 packet len, this will be ipv6 payload len
2697
2698	/*
2699	* First move the IPv4 header to the second mbuf in the chain
2700	*/
2701	if (M_LEADINGSPACE(m->m_next) < hlen) {
2702	struct mbuf *n;
2703	MGET(n, M_DONTWAIT, MT_DATA);
2704	if (!n) {
2705	m_freem(m);
2706	return ENOBUFS;
2707	}
2708	n->m_len = hlen;
2709	n->m_next = m->m_next;
2710	m->m_next = n;
2711	m->m_pkthdr.len += sizeof(struct ip6_hdr);
2712	oip = mtod(n, struct ip *);
2713	} else {
2714	m->m_next->m_len += hlen;
2715	m->m_next->m_data -= hlen;
2716	m->m_pkthdr.len += sizeof(struct ip6_hdr);
2717	oip = mtod(m->m_next, struct ip *);
2718	}
2719	ip = mtod(m, struct ip *);
2720	ovbcopy((caddr_t)ip, (caddr_t)oip, hlen);
2721
2722	/*
2723	* Grow the first mbuf to accomodate the new IPv6 header.
2724	*/
2725	if (M_LEADINGSPACE(m) < sizeof(struct ip6_hdr) - hlen) {
2726	struct mbuf *n;
2727	MGETHDR(n, M_DONTWAIT, MT_HEADER);
2728	if (!n) {
2729	m_freem(m);
2730	return ENOBUFS;
2731	}
2732	M_COPY_PKTHDR(n, m);
2733	MH_ALIGN(n, sizeof(struct ip6_hdr));
2734	n->m_len = sizeof(struct ip6_hdr);
2735	n->m_next = m->m_next;
2736	m->m_next = NULL;
2737	m_freem(m);
2738	state->m = n;
2739	m = state->m;
2740	} else {
2741	m->m_len += (sizeof(struct ip6_hdr) - hlen);
2742	m->m_data -= (sizeof(struct ip6_hdr) - hlen);
2743	}
2744	ip6 = mtod(m, struct ip6_hdr *);
2745	ip6->ip6_flow = `0`;
2746	ip6->ip6_vfc &= ~IPV6_VERSION_MASK;
2747	ip6->ip6_vfc \|= IPV6_VERSION;
2748
2749	/ construct new IPv6 header. see RFC 2401 5.1.2.2 /
2750	/ ECN consideration. /
2751	ip46_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &ip->ip_tos);
2752	if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
2753	ip6->ip6_plen = htons(plen);
2754	else {
2755	/ ip6->ip6_plen will be updated in ip6_output() /
2756	}
2757
2758	ip6->ip6_nxt = IPPROTO_IPV4;
2759	ip6->ip6_hlim = IPV6_DEFHLIM;
2760
2761	bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.src)->sin6_addr,
2762	&ip6->ip6_src, sizeof(ip6->ip6_src));
2763	bcopy(&((struct sockaddr_in6 *)&sav->sah->saidx.dst)->sin6_addr,
2764	&ip6->ip6_dst, sizeof(ip6->ip6_dst));
2765
2766	return `0`;
2767	}
2768
2769	#endif /INET6/
2770
2771	/*
2772	* Check the variable replay window.
2773	* ipsec_chkreplay() performs replay check before ICV verification.
2774	* ipsec_updatereplay() updates replay bitmap. This must be called after
2775	* ICV verification (it also performs replay check, which is usually done
2776	* beforehand).
2777	* 0 (zero) is returned if packet disallowed, 1 if packet permitted.
2778	*
2779	* based on RFC 2401.
2780	*/
2781	int
2782	ipsec_chkreplay(u_int32_t seq, struct secasvar *sav)
2783	{
2784	const struct secreplay *replay;
2785	u_int32_t diff;
2786	int fr;
2787	u_int32_t wsizeb; / constant: bits of window size /
2788	int frlast; / constant: last frame /
2789
2790
2791	/ sanity check /
2792	if (sav == NULL)
2793	panic("ipsec_chkreplay: NULL pointer was passed.\n");
2794
2795	lck_mtx_lock(sadb_mutex);
2796	replay = sav->replay;
2797
2798	if (replay->wsize == `0`) {
2799	lck_mtx_unlock(sadb_mutex);
2800	return `1`; / no need to check replay. /
2801	}
2802
2803	/ constant /
2804	frlast = replay->wsize - `1`;
2805	wsizeb = replay->wsize << `3`;
2806
2807	/ sequence number of 0 is invalid /
2808	if (seq == `0`) {
2809	lck_mtx_unlock(sadb_mutex);
2810	return `0`;
2811	}
2812
2813	/ first time is always okay /
2814	if (replay->count == `0`) {
2815	lck_mtx_unlock(sadb_mutex);
2816	return `1`;
2817	}
2818
2819	if (seq > replay->lastseq) {
2820	/ larger sequences are okay /
2821	lck_mtx_unlock(sadb_mutex);
2822	return `1`;
2823	} else {
2824	/ seq is equal or less than lastseq. /
2825	diff = replay->lastseq - seq;
2826
2827	/ over range to check, i.e. too old or wrapped /
2828	if (diff >= wsizeb) {
2829	lck_mtx_unlock(sadb_mutex);
2830	return `0`;
2831	}
2832
2833	fr = frlast - diff / `8`;
2834
2835	/ this packet already seen ? /
2836	if ((replay->bitmap)[fr] & (`1` << (diff % `8`))) {
2837	lck_mtx_unlock(sadb_mutex);
2838	return `0`;
2839	}
2840
2841	/ out of order but good /
2842	lck_mtx_unlock(sadb_mutex);
2843	return `1`;
2844	}
2845	}
2846
2847	/*
2848	* check replay counter whether to update or not.
2849	* OUT: 0: OK
2850	* 1: NG
2851	*/
2852	int
2853	ipsec_updatereplay(u_int32_t seq, struct secasvar *sav)
2854	{
2855	struct secreplay *replay;
2856	u_int32_t diff;
2857	int fr;
2858	u_int32_t wsizeb; / constant: bits of window size /
2859	int frlast; / constant: last frame /
2860
2861	/ sanity check /
2862	if (sav == NULL)
2863	panic("ipsec_chkreplay: NULL pointer was passed.\n");
2864
2865	lck_mtx_lock(sadb_mutex);
2866	replay = sav->replay;
2867
2868	if (replay->wsize == `0`)
2869	goto ok; / no need to check replay. /
2870
2871	/ constant /
2872	frlast = replay->wsize - `1`;
2873	wsizeb = replay->wsize << `3`;
2874
2875	/ sequence number of 0 is invalid /
2876	if (seq == `0`) {
2877	lck_mtx_unlock(sadb_mutex);
2878	return `1`;
2879	}
2880
2881	/ first time /
2882	if (replay->count == `0`) {
2883	replay->lastseq = seq;
2884	bzero(replay->bitmap, replay->wsize);
2885	(replay->bitmap)[frlast] = `1`;
2886	goto ok;
2887	}
2888
2889	if (seq > replay->lastseq) {
2890	/ seq is larger than lastseq. /
2891	diff = seq - replay->lastseq;
2892
2893	/ new larger sequence number /
2894	if (diff < wsizeb) {
2895	/ In window /
2896	/ set bit for this packet /
2897	vshiftl((unsigned char *) replay->bitmap, diff, replay->wsize);
2898	(replay->bitmap)[frlast] \|= `1`;
2899	} else {
2900	/ this packet has a "way larger" /
2901	bzero(replay->bitmap, replay->wsize);
2902	(replay->bitmap)[frlast] = `1`;
2903	}
2904	replay->lastseq = seq;
2905
2906	/ larger is good /
2907	} else {
2908	/ seq is equal or less than lastseq. /
2909	diff = replay->lastseq - seq;
2910
2911	/ over range to check, i.e. too old or wrapped /
2912	if (diff >= wsizeb) {
2913	lck_mtx_unlock(sadb_mutex);
2914	return `1`;
2915	}
2916
2917	fr = frlast - diff / `8`;
2918
2919	/ this packet already seen ? /
2920	if ((replay->bitmap)[fr] & (`1` << (diff % `8`))) {
2921	lck_mtx_unlock(sadb_mutex);
2922	return `1`;
2923	}
2924
2925	/ mark as seen /
2926	(replay->bitmap)[fr] \|= (`1` << (diff % `8`));
2927
2928	/ out of order but good /
2929	}
2930
2931	ok:
2932	if (replay->count == ~`0`) {
2933
2934	/ set overflow flag /
2935	replay->overflow++;
2936
2937	/ don't increment, no more packets accepted /
2938	if ((sav->flags & SADB_X_EXT_CYCSEQ) == `0`) {
2939	lck_mtx_unlock(sadb_mutex);
2940	return `1`;
2941	}
2942
2943	ipseclog((LOG_WARNING, "replay counter made %d cycle. %s\n",
2944	replay->overflow, ipsec_logsastr(sav)));
2945	}
2946
2947	replay->count++;
2948
2949	lck_mtx_unlock(sadb_mutex);
2950	return `0`;
2951	}
2952
2953	/*
2954	* shift variable length buffer to left.
2955	* IN: bitmap: pointer to the buffer
2956	* nbit: the number of to shift.
2957	* wsize: buffer size (bytes).
2958	*/
2959	static void
2960	vshiftl(unsigned char bitmap, int* nbit, int wsize)
2961	{
2962	int s, j, i;
2963	unsigned char over;
2964
2965	for (j = `0`; j < nbit; j += `8`) {
2966	s = (nbit - j < `8`) ? (nbit - j): `8`;
2967	bitmap[`0`] <<= s;
2968	for (i = `1`; i < wsize; i++) {
2969	over = (bitmap[i] >> (`8` - s));
2970	bitmap[i] <<= s;
2971	bitmap[i-`1`] \|= over;
2972	}
2973	}
2974
2975	return;
2976	}
2977
2978	const char *
2979	ipsec4_logpacketstr(struct ip *ip, u_int32_t spi)
2980	{
2981	static char buf[`256`] __attribute__((aligned(`4`)));
2982	char *p;
2983	u_int8_t s, d;
2984
2985	s = (u_int8_t *)(&ip->ip_src);
2986	d = (u_int8_t *)(&ip->ip_dst);
2987
2988	p = buf;
2989	snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
2990	while (p && *p)
2991	p++;
2992	snprintf(p, sizeof(buf) - (p - buf), "src=%u.%u.%u.%u",
2993	s[`0`], s[`1`], s[`2`], s[`3`]);
2994	while (p && *p)
2995	p++;
2996	snprintf(p, sizeof(buf) - (p - buf), " dst=%u.%u.%u.%u",
2997	d[`0`], d[`1`], d[`2`], d[`3`]);
2998	while (p && *p)
2999	p++;
3000	snprintf(p, sizeof(buf) - (p - buf), ")");
3001
3002	return buf;
3003	}
3004
3005	#if INET6
3006	const char *
3007	ipsec6_logpacketstr(struct ip6_hdr *ip6, u_int32_t spi)
3008	{
3009	static char buf[`256`] __attribute__((aligned(`4`)));
3010	char *p;
3011
3012	p = buf;
3013	snprintf(buf, sizeof(buf), "packet(SPI=%u ", (u_int32_t)ntohl(spi));
3014	while (p && *p)
3015	p++;
3016	snprintf(p, sizeof(buf) - (p - buf), "src=%s",
3017	ip6_sprintf(&ip6->ip6_src));
3018	while (p && *p)
3019	p++;
3020	snprintf(p, sizeof(buf) - (p - buf), " dst=%s",
3021	ip6_sprintf(&ip6->ip6_dst));
3022	while (p && *p)
3023	p++;
3024	snprintf(p, sizeof(buf) - (p - buf), ")");
3025
3026	return buf;
3027	}
3028	#endif /INET6/
3029
3030	const char *
3031	ipsec_logsastr(struct secasvar *sav)
3032	{
3033	static char buf[`256`] __attribute__((aligned(`4`)));
3034	char *p;
3035	struct secasindex *saidx = &sav->sah->saidx;
3036
3037	/ validity check /
3038	if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family
3039	!= ((struct sockaddr *)&sav->sah->saidx.dst)->sa_family)
3040	panic("ipsec_logsastr: family mismatched.\n");
3041
3042	p = buf;
3043	snprintf(buf, sizeof(buf), "SA(SPI=%u ", (u_int32_t)ntohl(sav->spi));
3044	while (p && *p)
3045	p++;
3046	if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET) {
3047	u_int8_t s, d;
3048	s = (u_int8_t )&((struct* sockaddr_in *)&saidx->src)->sin_addr;
3049	d = (u_int8_t )&((struct* sockaddr_in *)&saidx->dst)->sin_addr;
3050	snprintf(p, sizeof(buf) - (p - buf),
3051	"src=%d.%d.%d.%d dst=%d.%d.%d.%d",
3052	s[`0`], s[`1`], s[`2`], s[`3`], d[`0`], d[`1`], d[`2`], d[`3`]);
3053	}
3054	#if INET6
3055	else if (((struct sockaddr *)&saidx->src)->sa_family == AF_INET6) {
3056	snprintf(p, sizeof(buf) - (p - buf),
3057	"src=%s",
3058	ip6_sprintf(&((struct sockaddr_in6 *)&saidx->src)->sin6_addr));
3059	while (p && *p)
3060	p++;
3061	snprintf(p, sizeof(buf) - (p - buf),
3062	" dst=%s",
3063	ip6_sprintf(&((struct sockaddr_in6 *)&saidx->dst)->sin6_addr));
3064	}
3065	#endif
3066	while (p && *p)
3067	p++;
3068	snprintf(p, sizeof(buf) - (p - buf), ")");
3069
3070	return buf;
3071	}
3072
3073	void
3074	ipsec_dumpmbuf(struct mbuf *m)
3075	{
3076	int totlen;
3077	int i;
3078	u_char *p;
3079
3080	totlen = `0`;
3081	printf("---\n");
3082	while (m) {
3083	p = mtod(m, u_char *);
3084	for (i = `0`; i < m->m_len; i++) {
3085	printf("%02x ", p[i]);
3086	totlen++;
3087	if (totlen % `16` == `0`)
3088	printf("\n");
3089	}
3090	m = m->m_next;
3091	}
3092	if (totlen % `16` != `0`)
3093	printf("\n");
3094	printf("---\n");
3095	}
3096
3097	#if INET
3098	/*
3099	* IPsec output logic for IPv4.
3100	*/
3101	static int
3102	ipsec4_output_internal(struct ipsec_output_state state, struct* secasvar *sav)
3103	{
3104	struct ip *ip = NULL;
3105	int error = `0`;
3106	struct sockaddr_in *dst4;
3107	struct route *ro4;
3108
3109	/ validity check /
3110	if (sav == NULL \|\| sav->sah == NULL) {
3111	error = EINVAL;
3112	goto bad;
3113	}
3114
3115	/*
3116	* If there is no valid SA, we give up to process any
3117	* more. In such a case, the SA's status is changed
3118	* from DYING to DEAD after allocating. If a packet
3119	* send to the receiver by dead SA, the receiver can
3120	* not decode a packet because SA has been dead.
3121	*/
3122	if (sav->state != SADB_SASTATE_MATURE
3123	&& sav->state != SADB_SASTATE_DYING) {
3124	IPSEC_STAT_INCREMENT(ipsecstat.out_nosa);
3125	error = EINVAL;
3126	goto bad;
3127	}
3128
3129	state->outgoing_if = sav->sah->outgoing_if;
3130
3131	/*
3132	* There may be the case that SA status will be changed when
3133	* we are refering to one. So calling splsoftnet().
3134	*/
3135
3136	if (sav->sah->saidx.mode == IPSEC_MODE_TUNNEL) {
3137	/*
3138	* build IPsec tunnel.
3139	*/
3140	state->m = ipsec4_splithdr(state->m);
3141	if (!state->m) {
3142	error = ENOMEM;
3143	goto bad;
3144	}
3145
3146	if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET6) {
3147	error = ipsec46_encapsulate(state, sav);
3148	if (error) {
3149	// packet already freed by encapsulation error handling
3150	state->m = NULL;
3151	return error;
3152	}
3153
3154	error = ipsec6_update_routecache_and_output(state, sav);
3155	return error;
3156
3157	} else if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET) {
3158	error = ipsec4_encapsulate(state->m, sav);
3159	if (error) {
3160	state->m = NULL;
3161	goto bad;
3162	}
3163	ip = mtod(state->m, struct ip *);
3164
3165	// grab sadb_mutex, before updating sah's route cache
3166	lck_mtx_lock(sadb_mutex);
3167	ro4= (struct route *)&sav->sah->sa_route;
3168	dst4 = (struct sockaddr_in )(void* *)&ro4->ro_dst;
3169	if (ro4->ro_rt != NULL) {
3170	RT_LOCK(ro4->ro_rt);
3171	}
3172	if (ROUTE_UNUSABLE(ro4) \|\|
3173	dst4->sin_addr.s_addr != ip->ip_dst.s_addr) {
3174	if (ro4->ro_rt != NULL)
3175	RT_UNLOCK(ro4->ro_rt);
3176	ROUTE_RELEASE(ro4);
3177	}
3178	if (ro4->ro_rt == `0`) {
3179	dst4->sin_family = AF_INET;
3180	dst4->sin_len = sizeof(*dst4);
3181	dst4->sin_addr = ip->ip_dst;
3182	rtalloc_scoped(ro4, sav->sah->outgoing_if);
3183	if (ro4->ro_rt == `0`) {
3184	OSAddAtomic(`1`, &ipstat.ips_noroute);
3185	error = EHOSTUNREACH;
3186	// release sadb_mutex, after updating sah's route cache
3187	lck_mtx_unlock(sadb_mutex);
3188	goto bad;
3189	}
3190	RT_LOCK(ro4->ro_rt);
3191	}
3192
3193	/*
3194	* adjust state->dst if tunnel endpoint is offlink
3195	*
3196	* XXX: caching rt_gateway value in the state is
3197	* not really good, since it may point elsewhere
3198	* when the gateway gets modified to a larger
3199	* sockaddr via rt_setgate(). This is currently
3200	* addressed by SA_SIZE roundup in that routine.
3201	*/
3202	if (ro4->ro_rt->rt_flags & RTF_GATEWAY)
3203	dst4 = (struct sockaddr_in )(void* *)ro4->ro_rt->rt_gateway;
3204	RT_UNLOCK(ro4->ro_rt);
3205	ROUTE_RELEASE(&state->ro);
3206	route_copyout((struct route )&state->ro, ro4, sizeof(struct* route));
3207	state->dst = (struct sockaddr *)dst4;
3208	state->tunneled = `4`;
3209	// release sadb_mutex, after updating sah's route cache
3210	lck_mtx_unlock(sadb_mutex);
3211	} else {
3212	ipseclog((LOG_ERR, "%s: family mismatched between inner and outer spi=%u\n",
3213	__FUNCTION__, (u_int32_t)ntohl(sav->spi)));
3214	error = EAFNOSUPPORT;
3215	goto bad;
3216	}
3217	}
3218
3219	state->m = ipsec4_splithdr(state->m);
3220	if (!state->m) {
3221	error = ENOMEM;
3222	goto bad;
3223	}
3224	switch (sav->sah->saidx.proto) {
3225	case IPPROTO_ESP:
3226	#if IPSEC_ESP
3227	if ((error = esp4_output(state->m, sav)) != `0`) {
3228	state->m = NULL;
3229	goto bad;
3230	}
3231	break;
3232	#else
3233	m_freem(state->m);
3234	state->m = NULL;
3235	error = EINVAL;
3236	goto bad;
3237	#endif
3238	case IPPROTO_AH:
3239	if ((error = ah4_output(state->m, sav)) != `0`) {
3240	state->m = NULL;
3241	goto bad;
3242	}
3243	break;
3244	case IPPROTO_IPCOMP:
3245	if ((error = ipcomp4_output(state->m, sav)) != `0`) {
3246	state->m = NULL;
3247	goto bad;
3248	}
3249	break;
3250	default:
3251	ipseclog((LOG_ERR,
3252	"ipsec4_output: unknown ipsec protocol %d\n",
3253	sav->sah->saidx.proto));
3254	m_freem(state->m);
3255	state->m = NULL;
3256	error = EINVAL;
3257	goto bad;
3258	}
3259
3260	if (state->m == `0`) {
3261	error = ENOMEM;
3262	goto bad;
3263	}
3264
3265	return `0`;
3266
3267	bad:
3268	return error;
3269	}
3270
3271	int
3272	ipsec4_interface_output(struct ipsec_output_state *state, ifnet_t interface)
3273	{
3274	int error = `0`;
3275	struct secasvar *sav = NULL;
3276
3277	LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
3278
3279	if (state == NULL) {
3280	panic("state == NULL in ipsec4_output");
3281	}
3282	if (state->m == NULL) {
3283	panic("state->m == NULL in ipsec4_output");
3284	}
3285	if (state->dst == NULL) {
3286	panic("state->dst == NULL in ipsec4_output");
3287	}
3288
3289	struct ip ip = mtod(state->m, struct* ip *);
3290
3291	struct sockaddr_in src = {};
3292	src.sin_family = AF_INET;
3293	src.sin_len = sizeof(src);
3294	memcpy(&src.sin_addr, &ip->ip_src, sizeof(src.sin_addr));
3295
3296	struct sockaddr_in dst = {};
3297	dst.sin_family = AF_INET;
3298	dst.sin_len = sizeof(dst);
3299	memcpy(&dst.sin_addr, &ip->ip_dst, sizeof(dst.sin_addr));
3300
3301	sav = key_alloc_outbound_sav_for_interface(interface, AF_INET,
3302	(struct sockaddr *)&src,
3303	(struct sockaddr *)&dst);
3304	if (sav == NULL) {
3305	goto bad;
3306	}
3307
3308	if ((error = ipsec4_output_internal(state, sav)) != `0`) {
3309	goto bad;
3310	}
3311
3312	KERNEL_DEBUG(DBG_FNC_IPSEC_OUT \| DBG_FUNC_END, `0`,`0`,`0`,`0`,`0`);
3313	if (sav) {
3314	key_freesav(sav, KEY_SADB_UNLOCKED);
3315	}
3316	return `0`;
3317
3318	bad:
3319	if (sav) {
3320	key_freesav(sav, KEY_SADB_UNLOCKED);
3321	}
3322	m_freem(state->m);
3323	state->m = NULL;
3324	KERNEL_DEBUG(DBG_FNC_IPSEC_OUT \| DBG_FUNC_END, error,`0`,`0`,`0`,`0`);
3325	return error;
3326	}
3327
3328	int
3329	ipsec4_output(struct ipsec_output_state state, struct* secpolicy sp, __unused int* flags)
3330	{
3331	struct ip *ip = NULL;
3332	struct ipsecrequest *isr = NULL;
3333	struct secasindex saidx;
3334	struct secasvar *sav = NULL;
3335	int error = `0`;
3336	struct sockaddr_in *sin;
3337
3338	LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
3339
3340	if (!state)
3341	panic("state == NULL in ipsec4_output");
3342	if (!state->m)
3343	panic("state->m == NULL in ipsec4_output");
3344	if (!state->dst)
3345	panic("state->dst == NULL in ipsec4_output");
3346
3347	KERNEL_DEBUG(DBG_FNC_IPSEC_OUT \| DBG_FUNC_START, `0`,`0`,`0`,`0`,`0`);
3348
3349	KEYDEBUG(KEYDEBUG_IPSEC_DATA,
3350	printf("ipsec4_output: applied SP\n");
3351	kdebug_secpolicy(sp));
3352
3353	for (isr = sp->req; isr != NULL; isr = isr->next) {
3354	/ make SA index for search proper SA /
3355	ip = mtod(state->m, struct ip *);
3356	bcopy(&isr->saidx, &saidx, sizeof(saidx));
3357	saidx.mode = isr->saidx.mode;
3358	saidx.reqid = isr->saidx.reqid;
3359	sin = (struct sockaddr_in *)&saidx.src;
3360	if (sin->sin_len == `0`) {
3361	sin->sin_len = sizeof(*sin);
3362	sin->sin_family = AF_INET;
3363	sin->sin_port = IPSEC_PORT_ANY;
3364	bcopy(&ip->ip_src, &sin->sin_addr,
3365	sizeof(sin->sin_addr));
3366	}
3367	sin = (struct sockaddr_in *)&saidx.dst;
3368	if (sin->sin_len == `0`) {
3369	sin->sin_len = sizeof(*sin);
3370	sin->sin_family = AF_INET;
3371	sin->sin_port = IPSEC_PORT_ANY;
3372	/*
3373	* Get port from packet if upper layer is UDP and nat traversal
3374	* is enabled and transport mode.
3375	*/
3376
3377	if ((esp_udp_encap_port & `0xFFFF`) != `0` &&
3378	isr->saidx.mode == IPSEC_MODE_TRANSPORT) {
3379
3380	if (ip->ip_p == IPPROTO_UDP) {
3381	struct udphdr *udp;
3382	size_t hlen;
3383	#ifdef _IP_VHL
3384	hlen = IP_VHL_HL(ip->ip_vhl) << `2`;
3385	#else
3386	hlen = ip->ip_hl << `2`;
3387	#endif
3388	if (state->m->m_len < hlen + sizeof(struct udphdr)) {
3389	state->m = m_pullup(state->m, hlen + sizeof(struct udphdr));
3390	if (!state->m) {
3391	ipseclog((LOG_DEBUG, "IPv4 output: can't pullup UDP header\n"));
3392	IPSEC_STAT_INCREMENT(ipsecstat.in_inval);
3393	goto bad;
3394	}
3395	ip = mtod(state->m, struct ip *);
3396	}
3397	udp = (struct udphdr )(void* )(((u_int8_t )ip) + hlen);
3398	sin->sin_port = udp->uh_dport;
3399	}
3400	}
3401
3402	bcopy(&ip->ip_dst, &sin->sin_addr,
3403	sizeof(sin->sin_addr));
3404	}
3405
3406	if ((error = key_checkrequest(isr, &saidx, &sav)) != `0`) {
3407	/*
3408	* IPsec processing is required, but no SA found.
3409	* I assume that key_acquire() had been called
3410	* to get/establish the SA. Here I discard
3411	* this packet because it is responsibility for
3412	* upper layer to retransmit the packet.
3413	*/
3414	IPSEC_STAT_INCREMENT(ipsecstat.out_nosa);
3415	goto bad;
3416	}
3417
3418	/ validity check /
3419	if (sav == NULL) {
3420	switch (ipsec_get_reqlevel(isr)) {
3421	case IPSEC_LEVEL_USE:
3422	continue;
3423	case IPSEC_LEVEL_REQUIRE:
3424	/ must be not reached here. /
3425	panic("ipsec4_output: no SA found, but required.");
3426	}
3427	}
3428
3429	if ((error = ipsec4_output_internal(state, sav)) != `0`) {
3430	goto bad;
3431	}
3432	}
3433
3434	KERNEL_DEBUG(DBG_FNC_IPSEC_OUT \| DBG_FUNC_END, `0`,`0`,`0`,`0`,`0`);
3435	if (sav)
3436	key_freesav(sav, KEY_SADB_UNLOCKED);
3437	return `0`;
3438
3439	bad:
3440	if (sav)
3441	key_freesav(sav, KEY_SADB_UNLOCKED);
3442	m_freem(state->m);
3443	state->m = NULL;
3444	KERNEL_DEBUG(DBG_FNC_IPSEC_OUT \| DBG_FUNC_END, error,`0`,`0`,`0`,`0`);
3445	return error;
3446	}
3447
3448	#endif
3449
3450	#if INET6
3451	/*
3452	* IPsec output logic for IPv6, transport mode.
3453	*/
3454	static int
3455	ipsec6_output_trans_internal(
3456	struct ipsec_output_state *state,
3457	struct secasvar *sav,
3458	u_char *nexthdrp,
3459	struct mbuf *mprev)
3460	{
3461	struct ip6_hdr *ip6;
3462	int error = `0`;
3463	int plen;
3464
3465	/ validity check /
3466	if (sav == NULL \|\| sav->sah == NULL) {
3467	error = EINVAL;
3468	goto bad;
3469	}
3470
3471	/*
3472	* If there is no valid SA, we give up to process.
3473	* see same place at ipsec4_output().
3474	*/
3475	if (sav->state != SADB_SASTATE_MATURE
3476	&& sav->state != SADB_SASTATE_DYING) {
3477	IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa);
3478	error = EINVAL;
3479	goto bad;
3480	}
3481
3482	state->outgoing_if = sav->sah->outgoing_if;
3483
3484	switch (sav->sah->saidx.proto) {
3485	case IPPROTO_ESP:
3486	#if IPSEC_ESP
3487	error = esp6_output(state->m, nexthdrp, mprev->m_next, sav);
3488	#else
3489	m_freem(state->m);
3490	error = EINVAL;
3491	#endif
3492	break;
3493	case IPPROTO_AH:
3494	error = ah6_output(state->m, nexthdrp, mprev->m_next, sav);
3495	break;
3496	case IPPROTO_IPCOMP:
3497	error = ipcomp6_output(state->m, nexthdrp, mprev->m_next, sav);
3498	break;
3499	default:
3500	ipseclog((LOG_ERR, "ipsec6_output_trans: "
3501	"unknown ipsec protocol %d\n", sav->sah->saidx.proto));
3502	m_freem(state->m);
3503	IPSEC_STAT_INCREMENT(ipsec6stat.out_inval);
3504	error = EINVAL;
3505	break;
3506	}
3507	if (error) {
3508	state->m = NULL;
3509	goto bad;
3510	}
3511	plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
3512	if (plen > IPV6_MAXPACKET) {
3513	ipseclog((LOG_ERR, "ipsec6_output_trans: "
3514	"IPsec with IPv6 jumbogram is not supported\n"));
3515	IPSEC_STAT_INCREMENT(ipsec6stat.out_inval);
3516	error = EINVAL; /XXX/
3517	goto bad;
3518	}
3519	ip6 = mtod(state->m, struct ip6_hdr *);
3520	ip6->ip6_plen = htons(plen);
3521
3522	return `0`;
3523	bad:
3524	return error;
3525	}
3526
3527	int
3528	ipsec6_output_trans(
3529	struct ipsec_output_state *state,
3530	u_char *nexthdrp,
3531	struct mbuf *mprev,
3532	struct secpolicy *sp,
3533	__unused int flags,
3534	int *tun)
3535	{
3536	struct ip6_hdr *ip6;
3537	struct ipsecrequest *isr = NULL;
3538	struct secasindex saidx;
3539	int error = `0`;
3540	struct sockaddr_in6 *sin6;
3541	struct secasvar *sav = NULL;
3542
3543	LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
3544
3545	if (!state)
3546	panic("state == NULL in ipsec6_output_trans");
3547	if (!state->m)
3548	panic("state->m == NULL in ipsec6_output_trans");
3549	if (!nexthdrp)
3550	panic("nexthdrp == NULL in ipsec6_output_trans");
3551	if (!mprev)
3552	panic("mprev == NULL in ipsec6_output_trans");
3553	if (!sp)
3554	panic("sp == NULL in ipsec6_output_trans");
3555	if (!tun)
3556	panic("tun == NULL in ipsec6_output_trans");
3557
3558	KEYDEBUG(KEYDEBUG_IPSEC_DATA,
3559	printf("ipsec6_output_trans: applyed SP\n");
3560	kdebug_secpolicy(sp));
3561
3562	*tun = `0`;
3563	for (isr = sp->req; isr; isr = isr->next) {
3564	if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
3565	/ the rest will be handled by ipsec6_output_tunnel() /
3566	break;
3567	}
3568
3569	/ make SA index for search proper SA /
3570	ip6 = mtod(state->m, struct ip6_hdr *);
3571	bcopy(&isr->saidx, &saidx, sizeof(saidx));
3572	saidx.mode = isr->saidx.mode;
3573	saidx.reqid = isr->saidx.reqid;
3574	sin6 = (struct sockaddr_in6 *)&saidx.src;
3575	if (sin6->sin6_len == `0`) {
3576	sin6->sin6_len = sizeof(*sin6);
3577	sin6->sin6_family = AF_INET6;
3578	sin6->sin6_port = IPSEC_PORT_ANY;
3579	bcopy(&ip6->ip6_src, &sin6->sin6_addr,
3580	sizeof(ip6->ip6_src));
3581	if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
3582	/ fix scope id for comparing SPD /
3583	sin6->sin6_addr.s6_addr16[`1`] = `0`;
3584	sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[`1`]);
3585	}
3586	}
3587	sin6 = (struct sockaddr_in6 *)&saidx.dst;
3588	if (sin6->sin6_len == `0`) {
3589	sin6->sin6_len = sizeof(*sin6);
3590	sin6->sin6_family = AF_INET6;
3591	sin6->sin6_port = IPSEC_PORT_ANY;
3592	bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
3593	sizeof(ip6->ip6_dst));
3594	if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
3595	/ fix scope id for comparing SPD /
3596	sin6->sin6_addr.s6_addr16[`1`] = `0`;
3597	sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[`1`]);
3598	}
3599	}
3600
3601	if (key_checkrequest(isr, &saidx, &sav) == ENOENT) {
3602	/*
3603	* IPsec processing is required, but no SA found.
3604	* I assume that key_acquire() had been called
3605	* to get/establish the SA. Here I discard
3606	* this packet because it is responsibility for
3607	* upper layer to retransmit the packet.
3608	*/
3609	IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa);
3610	error = ENOENT;
3611
3612	/*
3613	* Notify the fact that the packet is discarded
3614	* to ourselves. I believe this is better than
3615	* just silently discarding. (jinmei@kame.net)
3616	* XXX: should we restrict the error to TCP packets?
3617	* XXX: should we directly notify sockets via
3618	* pfctlinputs?
3619	*/
3620	icmp6_error(state->m, ICMP6_DST_UNREACH,
3621	ICMP6_DST_UNREACH_ADMIN, `0`);
3622	state->m = NULL; / icmp6_error freed the mbuf /
3623	goto bad;
3624	}
3625
3626	/ validity check /
3627	if (sav == NULL) {
3628	switch (ipsec_get_reqlevel(isr)) {
3629	case IPSEC_LEVEL_USE:
3630	continue;
3631	case IPSEC_LEVEL_REQUIRE:
3632	/ must be not reached here. /
3633	panic("ipsec6_output_trans: no SA found, but required.");
3634	}
3635	}
3636
3637	if ((error = ipsec6_output_trans_internal(state, sav, nexthdrp, mprev)) != `0`) {
3638	goto bad;
3639	}
3640	}
3641
3642	/ if we have more to go, we need a tunnel mode processing /
3643	if (isr != NULL)
3644	*tun = `1`;
3645
3646	if (sav)
3647	key_freesav(sav, KEY_SADB_UNLOCKED);
3648	return `0`;
3649
3650	bad:
3651	if (sav)
3652	key_freesav(sav, KEY_SADB_UNLOCKED);
3653	m_freem(state->m);
3654	state->m = NULL;
3655	return error;
3656	}
3657
3658	/*
3659	* IPsec output logic for IPv6, tunnel mode.
3660	*/
3661	static int
3662	ipsec6_output_tunnel_internal(struct ipsec_output_state state, struct* secasvar sav, int* *must_be_last)
3663	{
3664	struct ip6_hdr *ip6;
3665	int error = `0`;
3666	int plen;
3667	struct sockaddr_in6* dst6;
3668	struct route_in6 *ro6;
3669
3670	/ validity check /
3671	if (sav == NULL \|\| sav->sah == NULL \|\| sav->sah->saidx.mode != IPSEC_MODE_TUNNEL) {
3672	error = EINVAL;
3673	goto bad;
3674	}
3675
3676	/*
3677	* If there is no valid SA, we give up to process.
3678	* see same place at ipsec4_output().
3679	*/
3680	if (sav->state != SADB_SASTATE_MATURE
3681	&& sav->state != SADB_SASTATE_DYING) {
3682	IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa);
3683	error = EINVAL;
3684	goto bad;
3685	}
3686
3687	state->outgoing_if = sav->sah->outgoing_if;
3688
3689	if (sav->sah->saidx.mode == IPSEC_MODE_TUNNEL) {
3690	/*
3691	* build IPsec tunnel.
3692	*/
3693	state->m = ipsec6_splithdr(state->m);
3694	if (!state->m) {
3695	IPSEC_STAT_INCREMENT(ipsec6stat.out_nomem);
3696	error = ENOMEM;
3697	goto bad;
3698	}
3699
3700	if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET6) {
3701	error = ipsec6_encapsulate(state->m, sav);
3702	if (error) {
3703	state->m = `0`;
3704	goto bad;
3705	}
3706	ip6 = mtod(state->m, struct ip6_hdr *);
3707	} else if (((struct sockaddr *)&sav->sah->saidx.src)->sa_family == AF_INET) {
3708
3709	struct ip *ip;
3710	struct sockaddr_in* dst4;
3711	struct route *ro4 = NULL;
3712	struct route ro4_copy;
3713	struct ip_out_args ipoa;
3714
3715	bzero(&ipoa, sizeof(ipoa));
3716	ipoa.ipoa_boundif = IFSCOPE_NONE;
3717	ipoa.ipoa_flags = IPOAF_SELECT_SRCIF;
3718	ipoa.ipoa_sotc = SO_TC_UNSPEC;
3719	ipoa.ipoa_netsvctype = _NET_SERVICE_TYPE_UNSPEC;
3720
3721	if (must_be_last)
3722	*must_be_last = `1`;
3723
3724	state->tunneled = `4`; / must not process any further in ip6_output /
3725	error = ipsec64_encapsulate(state->m, sav);
3726	if (error) {
3727	state->m = `0`;
3728	goto bad;
3729	}
3730	/ Now we have an IPv4 packet /
3731	ip = mtod(state->m, struct ip *);
3732
3733	// grab sadb_mutex, to update sah's route cache and get a local copy of it
3734	lck_mtx_lock(sadb_mutex);
3735	ro4 = (struct route *)&sav->sah->sa_route;
3736	dst4 = (struct sockaddr_in )(void* *)&ro4->ro_dst;
3737	if (ro4->ro_rt) {
3738	RT_LOCK(ro4->ro_rt);
3739	}
3740	if (ROUTE_UNUSABLE(ro4) \|\|
3741	dst4->sin_addr.s_addr != ip->ip_dst.s_addr) {
3742	if (ro4->ro_rt != NULL)
3743	RT_UNLOCK(ro4->ro_rt);
3744	ROUTE_RELEASE(ro4);
3745	}
3746	if (ro4->ro_rt == NULL) {
3747	dst4->sin_family = AF_INET;
3748	dst4->sin_len = sizeof(*dst4);
3749	dst4->sin_addr = ip->ip_dst;
3750	} else {
3751	RT_UNLOCK(ro4->ro_rt);
3752	}
3753	route_copyout(&ro4_copy, ro4, sizeof(struct route));
3754	// release sadb_mutex, after updating sah's route cache and getting a local copy
3755	lck_mtx_unlock(sadb_mutex);
3756	state->m = ipsec4_splithdr(state->m);
3757	if (!state->m) {
3758	error = ENOMEM;
3759	ROUTE_RELEASE(&ro4_copy);
3760	goto bad;
3761	}
3762	switch (sav->sah->saidx.proto) {
3763	case IPPROTO_ESP:
3764	#if IPSEC_ESP
3765	if ((error = esp4_output(state->m, sav)) != `0`) {
3766	state->m = NULL;
3767	ROUTE_RELEASE(&ro4_copy);
3768	goto bad;
3769	}
3770	break;
3771
3772	#else
3773	m_freem(state->m);
3774	state->m = NULL;
3775	error = EINVAL;
3776	ROUTE_RELEASE(&ro4_copy);
3777	goto bad;
3778	#endif
3779	case IPPROTO_AH:
3780	if ((error = ah4_output(state->m, sav)) != `0`) {
3781	state->m = NULL;
3782	ROUTE_RELEASE(&ro4_copy);
3783	goto bad;
3784	}
3785	break;
3786	case IPPROTO_IPCOMP:
3787	if ((error = ipcomp4_output(state->m, sav)) != `0`) {
3788	state->m = NULL;
3789	ROUTE_RELEASE(&ro4_copy);
3790	goto bad;
3791	}
3792	break;
3793	default:
3794	ipseclog((LOG_ERR,
3795	"ipsec4_output: unknown ipsec protocol %d\n",
3796	sav->sah->saidx.proto));
3797	m_freem(state->m);
3798	state->m = NULL;
3799	error = EINVAL;
3800	ROUTE_RELEASE(&ro4_copy);
3801	goto bad;
3802	}
3803
3804	if (state->m == `0`) {
3805	error = ENOMEM;
3806	ROUTE_RELEASE(&ro4_copy);
3807	goto bad;
3808	}
3809	ipsec_set_pkthdr_for_interface(sav->sah->ipsec_if, state->m, AF_INET);
3810	ipsec_set_ipoa_for_interface(sav->sah->ipsec_if, &ipoa);
3811
3812	ip = mtod(state->m, struct ip *);
3813	ip->ip_len = ntohs(ip->ip_len); / flip len field before calling ip_output /
3814	error = ip_output(state->m, NULL, &ro4_copy, IP_OUTARGS, NULL, &ipoa);
3815	state->m = NULL;
3816	// grab sadb_mutex, to synchronize the sah's route cache with the local copy
3817	lck_mtx_lock(sadb_mutex);
3818	route_copyin(&ro4_copy, ro4, sizeof(struct route));
3819	lck_mtx_unlock(sadb_mutex);
3820	if (error != `0`)
3821	goto bad;
3822	goto done;
3823	} else {
3824	ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3825	"unsupported inner family, spi=%u\n",
3826	(u_int32_t)ntohl(sav->spi)));
3827	IPSEC_STAT_INCREMENT(ipsec6stat.out_inval);
3828	error = EAFNOSUPPORT;
3829	goto bad;
3830	}
3831
3832	// grab sadb_mutex, before updating sah's route cache
3833	lck_mtx_lock(sadb_mutex);
3834	ro6 = &sav->sah->sa_route;
3835	dst6 = (struct sockaddr_in6 )(void* *)&ro6->ro_dst;
3836	if (ro6->ro_rt) {
3837	RT_LOCK(ro6->ro_rt);
3838	}
3839	if (ROUTE_UNUSABLE(ro6) \|\|
3840	!IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst)) {
3841	if (ro6->ro_rt != NULL)
3842	RT_UNLOCK(ro6->ro_rt);
3843	ROUTE_RELEASE(ro6);
3844	}
3845	if (ro6->ro_rt == `0`) {
3846	bzero(dst6, sizeof(*dst6));
3847	dst6->sin6_family = AF_INET6;
3848	dst6->sin6_len = sizeof(*dst6);
3849	dst6->sin6_addr = ip6->ip6_dst;
3850	rtalloc_scoped((struct route *)ro6, sav->sah->outgoing_if);
3851	if (ro6->ro_rt) {
3852	RT_LOCK(ro6->ro_rt);
3853	}
3854	}
3855	if (ro6->ro_rt == `0`) {
3856	ip6stat.ip6s_noroute++;
3857	IPSEC_STAT_INCREMENT(ipsec6stat.out_noroute);
3858	error = EHOSTUNREACH;
3859	// release sadb_mutex, after updating sah's route cache
3860	lck_mtx_unlock(sadb_mutex);
3861	goto bad;
3862	}
3863
3864	/*
3865	* adjust state->dst if tunnel endpoint is offlink
3866	*
3867	* XXX: caching rt_gateway value in the state is
3868	* not really good, since it may point elsewhere
3869	* when the gateway gets modified to a larger
3870	* sockaddr via rt_setgate(). This is currently
3871	* addressed by SA_SIZE roundup in that routine.
3872	*/
3873	if (ro6->ro_rt->rt_flags & RTF_GATEWAY)
3874	dst6 = (struct sockaddr_in6 )(void* *)ro6->ro_rt->rt_gateway;
3875	RT_UNLOCK(ro6->ro_rt);
3876	ROUTE_RELEASE(&state->ro);
3877	route_copyout((struct route )&state->ro, (struct* route )ro6, sizeof(struct* route_in6));
3878	state->dst = (struct sockaddr *)dst6;
3879	state->tunneled = `6`;
3880	// release sadb_mutex, after updating sah's route cache
3881	lck_mtx_unlock(sadb_mutex);
3882	}
3883
3884	state->m = ipsec6_splithdr(state->m);
3885	if (!state->m) {
3886	IPSEC_STAT_INCREMENT(ipsec6stat.out_nomem);
3887	error = ENOMEM;
3888	goto bad;
3889	}
3890	ip6 = mtod(state->m, struct ip6_hdr *);
3891	switch (sav->sah->saidx.proto) {
3892	case IPPROTO_ESP:
3893	#if IPSEC_ESP
3894	error = esp6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav);
3895	#else
3896	m_freem(state->m);
3897	error = EINVAL;
3898	#endif
3899	break;
3900	case IPPROTO_AH:
3901	error = ah6_output(state->m, &ip6->ip6_nxt, state->m->m_next, sav);
3902	break;
3903	case IPPROTO_IPCOMP:
3904	/ XXX code should be here /
3905	/FALLTHROUGH/
3906	default:
3907	ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3908	"unknown ipsec protocol %d\n", sav->sah->saidx.proto));
3909	m_freem(state->m);
3910	IPSEC_STAT_INCREMENT(ipsec6stat.out_inval);
3911	error = EINVAL;
3912	break;
3913	}
3914	if (error) {
3915	state->m = NULL;
3916	goto bad;
3917	}
3918	plen = state->m->m_pkthdr.len - sizeof(struct ip6_hdr);
3919	if (plen > IPV6_MAXPACKET) {
3920	ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
3921	"IPsec with IPv6 jumbogram is not supported\n"));
3922	IPSEC_STAT_INCREMENT(ipsec6stat.out_inval);
3923	error = EINVAL; /XXX/
3924	goto bad;
3925	}
3926	ip6 = mtod(state->m, struct ip6_hdr *);
3927	ip6->ip6_plen = htons(plen);
3928	done:
3929	return `0`;
3930
3931	bad:
3932	return error;
3933	}
3934
3935	int
3936	ipsec6_output_tunnel(
3937	struct ipsec_output_state *state,
3938	struct secpolicy *sp,
3939	__unused int flags)
3940	{
3941	struct ip6_hdr *ip6;
3942	struct ipsecrequest *isr = NULL;
3943	struct secasindex saidx;
3944	struct secasvar *sav = NULL;
3945	int error = `0`;
3946
3947	LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
3948
3949	if (!state)
3950	panic("state == NULL in ipsec6_output_tunnel");
3951	if (!state->m)
3952	panic("state->m == NULL in ipsec6_output_tunnel");
3953	if (!sp)
3954	panic("sp == NULL in ipsec6_output_tunnel");
3955
3956	KEYDEBUG(KEYDEBUG_IPSEC_DATA,
3957	printf("ipsec6_output_tunnel: applyed SP\n");
3958	kdebug_secpolicy(sp));
3959
3960	/*
3961	* transport mode ipsec (before the 1st tunnel mode) is already
3962	* processed by ipsec6_output_trans().
3963	*/
3964	for (isr = sp->req; isr; isr = isr->next) {
3965	if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
3966	break;
3967	}
3968
3969	for (/ already initialized /; isr; isr = isr->next) {
3970	if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
3971	/ When tunnel mode, SA peers must be specified. /
3972	bcopy(&isr->saidx, &saidx, sizeof(saidx));
3973	} else {
3974	/ make SA index to look for a proper SA /
3975	struct sockaddr_in6 *sin6;
3976
3977	bzero(&saidx, sizeof(saidx));
3978	saidx.proto = isr->saidx.proto;
3979	saidx.mode = isr->saidx.mode;
3980	saidx.reqid = isr->saidx.reqid;
3981
3982	ip6 = mtod(state->m, struct ip6_hdr *);
3983	sin6 = (struct sockaddr_in6 *)&saidx.src;
3984	if (sin6->sin6_len == `0`) {
3985	sin6->sin6_len = sizeof(*sin6);
3986	sin6->sin6_family = AF_INET6;
3987	sin6->sin6_port = IPSEC_PORT_ANY;
3988	bcopy(&ip6->ip6_src, &sin6->sin6_addr,
3989	sizeof(ip6->ip6_src));
3990	if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
3991	/ fix scope id for comparing SPD /
3992	sin6->sin6_addr.s6_addr16[`1`] = `0`;
3993	sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[`1`]);
3994	}
3995	}
3996	sin6 = (struct sockaddr_in6 *)&saidx.dst;
3997	if (sin6->sin6_len == `0`) {
3998	sin6->sin6_len = sizeof(*sin6);
3999	sin6->sin6_family = AF_INET6;
4000	sin6->sin6_port = IPSEC_PORT_ANY;
4001	bcopy(&ip6->ip6_dst, &sin6->sin6_addr,
4002	sizeof(ip6->ip6_dst));
4003	if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
4004	/ fix scope id for comparing SPD /
4005	sin6->sin6_addr.s6_addr16[`1`] = `0`;
4006	sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[`1`]);
4007	}
4008	}
4009	}
4010
4011	if (key_checkrequest(isr, &saidx, &sav) == ENOENT) {
4012	/*
4013	* IPsec processing is required, but no SA found.
4014	* I assume that key_acquire() had been called
4015	* to get/establish the SA. Here I discard
4016	* this packet because it is responsibility for
4017	* upper layer to retransmit the packet.
4018	*/
4019	IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa);
4020	error = ENOENT;
4021	goto bad;
4022	}
4023
4024	/ validity check /
4025	if (sav == NULL) {
4026	switch (ipsec_get_reqlevel(isr)) {
4027	case IPSEC_LEVEL_USE:
4028	continue;
4029	case IPSEC_LEVEL_REQUIRE:
4030	/ must be not reached here. /
4031	panic("ipsec6_output_tunnel: no SA found, but required.");
4032	}
4033	}
4034
4035	/*
4036	* If there is no valid SA, we give up to process.
4037	* see same place at ipsec4_output().
4038	*/
4039	if (sav->state != SADB_SASTATE_MATURE
4040	&& sav->state != SADB_SASTATE_DYING) {
4041	IPSEC_STAT_INCREMENT(ipsec6stat.out_nosa);
4042	error = EINVAL;
4043	goto bad;
4044	}
4045
4046	int must_be_last = `0`;
4047
4048	if ((error = ipsec6_output_tunnel_internal(state, sav, &must_be_last)) != `0`) {
4049	goto bad;
4050	}
4051
4052	if (must_be_last && isr->next) {
4053	ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
4054	"IPv4 must be outer layer, spi=%u\n",
4055	(u_int32_t)ntohl(sav->spi)));
4056	error = EINVAL;
4057	goto bad;
4058	}
4059	}
4060
4061	if (sav)
4062	key_freesav(sav, KEY_SADB_UNLOCKED);
4063	return `0`;
4064
4065	bad:
4066	if (sav)
4067	key_freesav(sav, KEY_SADB_UNLOCKED);
4068	if (state->m)
4069	m_freem(state->m);
4070	state->m = NULL;
4071	return error;
4072	}
4073
4074	int
4075	ipsec6_interface_output(struct ipsec_output_state state, ifnet_t interface, u_char nexthdrp, struct mbuf *mprev)
4076	{
4077	int error = `0`;
4078	struct secasvar *sav = NULL;
4079
4080	LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
4081
4082	if (state == NULL) {
4083	panic("state == NULL in ipsec6_output");
4084	}
4085	if (state->m == NULL) {
4086	panic("state->m == NULL in ipsec6_output");
4087	}
4088	if (nexthdrp == NULL) {
4089	panic("nexthdrp == NULL in ipsec6_output");
4090	}
4091	if (mprev == NULL) {
4092	panic("mprev == NULL in ipsec6_output");
4093	}
4094
4095	struct ip6_hdr ip6 = mtod(state->m, struct* ip6_hdr *);
4096
4097	struct sockaddr_in6 src = {};
4098	src.sin6_family = AF_INET6;
4099	src.sin6_len = sizeof(src);
4100	memcpy(&src.sin6_addr, &ip6->ip6_src, sizeof(src.sin6_addr));
4101
4102	struct sockaddr_in6 dst = {};
4103	dst.sin6_family = AF_INET6;
4104	dst.sin6_len = sizeof(dst);
4105	memcpy(&dst.sin6_addr, &ip6->ip6_dst, sizeof(dst.sin6_addr));
4106
4107	sav = key_alloc_outbound_sav_for_interface(interface, AF_INET6,
4108	(struct sockaddr *)&src,
4109	(struct sockaddr *)&dst);
4110	if (sav == NULL) {
4111	goto bad;
4112	}
4113
4114	if (sav->sah && sav->sah->saidx.mode == IPSEC_MODE_TUNNEL) {
4115	if ((error = ipsec6_output_tunnel_internal(state, sav, NULL)) != `0`) {
4116	goto bad;
4117	}
4118	}
4119	else {
4120	if ((error = ipsec6_output_trans_internal(state, sav, nexthdrp, mprev)) != `0`) {
4121	goto bad;
4122	}
4123	}
4124
4125	if (sav) {
4126	key_freesav(sav, KEY_SADB_UNLOCKED);
4127	}
4128	return `0`;
4129
4130	bad:
4131	if (sav) {
4132	key_freesav(sav, KEY_SADB_UNLOCKED);
4133	}
4134	m_freem(state->m);
4135	state->m = NULL;
4136	return error;
4137	}
4138	#endif /INET6/
4139
4140	#if INET
4141	/*
4142	* Chop IP header and option off from the payload.
4143	*/
4144	struct mbuf *
4145	ipsec4_splithdr(struct mbuf *m)
4146	{
4147	struct mbuf *mh;
4148	struct ip *ip;
4149	int hlen;
4150
4151	if (m->m_len < sizeof(struct ip))
4152	panic("ipsec4_splithdr: first mbuf too short, m_len %d, pkt_len %d, m_flag %x", m->m_len, m->m_pkthdr.len, m->m_flags);
4153	ip = mtod(m, struct ip *);
4154	#ifdef _IP_VHL
4155	hlen = _IP_VHL_HL(ip->ip_vhl) << `2`;
4156	#else
4157	hlen = ip->ip_hl << `2`;
4158	#endif
4159	if (m->m_len > hlen) {
4160	MGETHDR(mh, M_DONTWAIT, MT_HEADER); / MAC-OK /
4161	if (!mh) {
4162	m_freem(m);
4163	return NULL;
4164	}
4165	M_COPY_PKTHDR(mh, m);
4166	MH_ALIGN(mh, hlen);
4167	m->m_flags &= ~M_PKTHDR;
4168	m_mchtype(m, MT_DATA);
4169	m->m_len -= hlen;
4170	m->m_data += hlen;
4171	mh->m_next = m;
4172	m = mh;
4173	m->m_len = hlen;
4174	bcopy((caddr_t)ip, mtod(m, caddr_t), hlen);
4175	} else if (m->m_len < hlen) {
4176	m = m_pullup(m, hlen);
4177	if (!m)
4178	return NULL;
4179	}
4180	return m;
4181	}
4182	#endif
4183
4184	#if INET6
4185	struct mbuf *
4186	ipsec6_splithdr(struct mbuf *m)
4187	{
4188	struct mbuf *mh;
4189	struct ip6_hdr *ip6;
4190	int hlen;
4191
4192	if (m->m_len < sizeof(struct ip6_hdr))
4193	panic("ipsec6_splithdr: first mbuf too short");
4194	ip6 = mtod(m, struct ip6_hdr *);
4195	hlen = sizeof(struct ip6_hdr);
4196	if (m->m_len > hlen) {
4197	MGETHDR(mh, M_DONTWAIT, MT_HEADER); / MAC-OK /
4198	if (!mh) {
4199	m_freem(m);
4200	return NULL;
4201	}
4202	M_COPY_PKTHDR(mh, m);
4203	MH_ALIGN(mh, hlen);
4204	m->m_flags &= ~M_PKTHDR;
4205	m_mchtype(m, MT_DATA);
4206	m->m_len -= hlen;
4207	m->m_data += hlen;
4208	mh->m_next = m;
4209	m = mh;
4210	m->m_len = hlen;
4211	bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
4212	} else if (m->m_len < hlen) {
4213	m = m_pullup(m, hlen);
4214	if (!m)
4215	return NULL;
4216	}
4217	return m;
4218	}
4219	#endif
4220
4221	/ validate inbound IPsec tunnel packet. /
4222	int
4223	ipsec4_tunnel_validate(
4224	struct mbuf m, /* no pullup permitted, m->m_len >= ip /
4225	int off,
4226	u_int nxt0,
4227	struct secasvar *sav,
4228	sa_family_t *ifamily)
4229	{
4230	u_int8_t nxt = nxt0 & `0xff`;
4231	struct sockaddr_in *sin;
4232	struct sockaddr_in osrc, odst, i4src, i4dst;
4233	struct sockaddr_in6 i6src, i6dst;
4234	int hlen;
4235	struct secpolicy *sp;
4236	struct ip *oip;
4237
4238	LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
4239
4240	#if DIAGNOSTIC
4241	if (m->m_len < sizeof(struct ip))
4242	panic("too short mbuf on ipsec4_tunnel_validate");
4243	#endif
4244	if (nxt != IPPROTO_IPV4 && nxt != IPPROTO_IPV6)
4245	return `0`;
4246	if (m->m_pkthdr.len < off + sizeof(struct ip))
4247	return `0`;
4248	/ do not decapsulate if the SA is for transport mode only /
4249	if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
4250	return `0`;
4251
4252	oip = mtod(m, struct ip *);
4253	#ifdef _IP_VHL
4254	hlen = _IP_VHL_HL(oip->ip_vhl) << `2`;
4255	#else
4256	hlen = oip->ip_hl << `2`;
4257	#endif
4258	if (hlen != sizeof(struct ip))
4259	return `0`;
4260
4261	sin = (struct sockaddr_in *)&sav->sah->saidx.dst;
4262	if (sin->sin_family != AF_INET)
4263	return `0`;
4264	if (bcmp(&oip->ip_dst, &sin->sin_addr, sizeof(oip->ip_dst)) != `0`)
4265	return `0`;
4266
4267	if (sav->sah->ipsec_if != NULL) {
4268	// the ipsec interface SAs don't have a policies.
4269	if (nxt == IPPROTO_IPV4) {
4270	*ifamily = AF_INET;
4271	} else if (nxt == IPPROTO_IPV6) {
4272	*ifamily = AF_INET6;
4273	} else {
4274	return `0`;
4275	}
4276	return `1`;
4277	}
4278
4279	/ XXX slow /
4280	bzero(&osrc, sizeof(osrc));
4281	bzero(&odst, sizeof(odst));
4282	osrc.sin_family = odst.sin_family = AF_INET;
4283	osrc.sin_len = odst.sin_len = sizeof(struct sockaddr_in);
4284	osrc.sin_addr = oip->ip_src;
4285	odst.sin_addr = oip->ip_dst;
4286	/*
4287	* RFC2401 5.2.1 (b): (assume that we are using tunnel mode)
4288	* - if the inner destination is multicast address, there can be
4289	* multiple permissible inner source address. implementation
4290	* may want to skip verification of inner source address against
4291	* SPD selector.
4292	* - if the inner protocol is ICMP, the packet may be an error report
4293	* from routers on the other side of the VPN cloud (R in the
4294	* following diagram). in this case, we cannot verify inner source
4295	* address against SPD selector.
4296	* me -- gw === gw -- R -- you
4297	*
4298	* we consider the first bullet to be users responsibility on SPD entry
4299	* configuration (if you need to encrypt multicast traffic, set
4300	* the source range of SPD selector to 0.0.0.0/0, or have explicit
4301	* address ranges for possible senders).
4302	* the second bullet is not taken care of (yet).
4303	*
4304	* therefore, we do not do anything special about inner source.
4305	*/
4306	if (nxt == IPPROTO_IPV4) {
4307	bzero(&i4src, sizeof(struct sockaddr_in));
4308	bzero(&i4dst, sizeof(struct sockaddr_in));
4309	i4src.sin_family = i4dst.sin_family = *ifamily = AF_INET;
4310	i4src.sin_len = i4dst.sin_len = sizeof(struct sockaddr_in);
4311	m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(i4src.sin_addr),
4312	(caddr_t)&i4src.sin_addr);
4313	m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(i4dst.sin_addr),
4314	(caddr_t)&i4dst.sin_addr);
4315	sp = key_gettunnel((struct sockaddr )&osrc, (struct* sockaddr *)&odst,
4316	(struct sockaddr )&i4src, (struct* sockaddr *)&i4dst);
4317	} else if (nxt == IPPROTO_IPV6) {
4318	bzero(&i6src, sizeof(struct sockaddr_in6));
4319	bzero(&i6dst, sizeof(struct sockaddr_in6));
4320	i6src.sin6_family = i6dst.sin6_family = *ifamily = AF_INET6;
4321	i6src.sin6_len = i6dst.sin6_len = sizeof(struct sockaddr_in6);
4322	m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src), sizeof(i6src.sin6_addr),
4323	(caddr_t)&i6src.sin6_addr);
4324	m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst), sizeof(i6dst.sin6_addr),
4325	(caddr_t)&i6dst.sin6_addr);
4326	sp = key_gettunnel((struct sockaddr )&osrc, (struct* sockaddr *)&odst,
4327	(struct sockaddr )&i6src, (struct* sockaddr *)&i6dst);
4328	} else
4329	return `0`; / unsupported family /
4330
4331	if (!sp)
4332	return `0`;
4333
4334	key_freesp(sp, KEY_SADB_UNLOCKED);
4335
4336	return `1`;
4337	}
4338
4339	#if INET6
4340	/ validate inbound IPsec tunnel packet. /
4341	int
4342	ipsec6_tunnel_validate(
4343	struct mbuf m, /* no pullup permitted, m->m_len >= ip /
4344	int off,
4345	u_int nxt0,
4346	struct secasvar *sav,
4347	sa_family_t *ifamily)
4348	{
4349	u_int8_t nxt = nxt0 & `0xff`;
4350	struct sockaddr_in6 *sin6;
4351	struct sockaddr_in i4src, i4dst;
4352	struct sockaddr_in6 osrc, odst, i6src, i6dst;
4353	struct secpolicy *sp;
4354	struct ip6_hdr *oip6;
4355
4356	LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
4357
4358	#if DIAGNOSTIC
4359	if (m->m_len < sizeof(struct ip6_hdr))
4360	panic("too short mbuf on ipsec6_tunnel_validate");
4361	#endif
4362	if (nxt != IPPROTO_IPV4 && nxt != IPPROTO_IPV6)
4363	return `0`;
4364
4365	if (m->m_pkthdr.len < off + sizeof(struct ip6_hdr))
4366	return `0`;
4367	/ do not decapsulate if the SA is for transport mode only /
4368	if (sav->sah->saidx.mode == IPSEC_MODE_TRANSPORT)
4369	return `0`;
4370
4371	oip6 = mtod(m, struct ip6_hdr *);
4372	/ AF_INET should be supported, but at this moment we don't. /
4373	sin6 = (struct sockaddr_in6 *)&sav->sah->saidx.dst;
4374	if (sin6->sin6_family != AF_INET6)
4375	return `0`;
4376	if (!IN6_ARE_ADDR_EQUAL(&oip6->ip6_dst, &sin6->sin6_addr))
4377	return `0`;
4378
4379	if (sav->sah->ipsec_if != NULL) {
4380	// the ipsec interface SAs don't have a policies.
4381	if (nxt == IPPROTO_IPV4) {
4382	*ifamily = AF_INET;
4383	} else if (nxt == IPPROTO_IPV6) {
4384	*ifamily = AF_INET6;
4385	} else {
4386	return `0`;
4387	}
4388	return `1`;
4389	}
4390
4391	/ XXX slow /
4392	bzero(&osrc, sizeof(osrc));
4393	bzero(&odst, sizeof(odst));
4394	osrc.sin6_family = odst.sin6_family = AF_INET6;
4395	osrc.sin6_len = odst.sin6_len = sizeof(struct sockaddr_in6);
4396	osrc.sin6_addr = oip6->ip6_src;
4397	odst.sin6_addr = oip6->ip6_dst;
4398
4399	/*
4400	* regarding to inner source address validation, see a long comment
4401	* in ipsec4_tunnel_validate.
4402	*/
4403
4404	if (nxt == IPPROTO_IPV4) {
4405	bzero(&i4src, sizeof(struct sockaddr_in));
4406	bzero(&i4dst, sizeof(struct sockaddr_in));
4407	i4src.sin_family = i4dst.sin_family = *ifamily = AF_INET;
4408	i4src.sin_len = i4dst.sin_len = sizeof(struct sockaddr_in);
4409	m_copydata(m, off + offsetof(struct ip, ip_src), sizeof(i4src.sin_addr),
4410	(caddr_t)&i4src.sin_addr);
4411	m_copydata(m, off + offsetof(struct ip, ip_dst), sizeof(i4dst.sin_addr),
4412	(caddr_t)&i4dst.sin_addr);
4413	sp = key_gettunnel((struct sockaddr )&osrc, (struct* sockaddr *)&odst,
4414	(struct sockaddr )&i4src, (struct* sockaddr *)&i4dst);
4415	} else if (nxt == IPPROTO_IPV6) {
4416	bzero(&i6src, sizeof(struct sockaddr_in6));
4417	bzero(&i6dst, sizeof(struct sockaddr_in6));
4418	i6src.sin6_family = i6dst.sin6_family = *ifamily = AF_INET6;
4419	i6src.sin6_len = i6dst.sin6_len = sizeof(struct sockaddr_in6);
4420	m_copydata(m, off + offsetof(struct ip6_hdr, ip6_src), sizeof(i6src.sin6_addr),
4421	(caddr_t)&i6src.sin6_addr);
4422	m_copydata(m, off + offsetof(struct ip6_hdr, ip6_dst), sizeof(i6dst.sin6_addr),
4423	(caddr_t)&i6dst.sin6_addr);
4424	sp = key_gettunnel((struct sockaddr )&osrc, (struct* sockaddr *)&odst,
4425	(struct sockaddr )&i6src, (struct* sockaddr *)&i6dst);
4426	} else
4427	return `0`; / unsupported family /
4428	/*
4429	* when there is no suitable inbound policy for the packet of the ipsec
4430	* tunnel mode, the kernel never decapsulate the tunneled packet
4431	* as the ipsec tunnel mode even when the system wide policy is "none".
4432	* then the kernel leaves the generic tunnel module to process this
4433	* packet. if there is no rule of the generic tunnel, the packet
4434	* is rejected and the statistics will be counted up.
4435	*/
4436	if (!sp)
4437	return `0`;
4438	key_freesp(sp, KEY_SADB_UNLOCKED);
4439
4440	return `1`;
4441	}
4442	#endif
4443
4444	/*
4445	* Make a mbuf chain for encryption.
4446	* If the original mbuf chain contains a mbuf with a cluster,
4447	* allocate a new cluster and copy the data to the new cluster.
4448	* XXX: this hack is inefficient, but is necessary to handle cases
4449	* of TCP retransmission...
4450	*/
4451	struct mbuf *
4452	ipsec_copypkt(struct mbuf *m)
4453	{
4454	struct mbuf n, mpp, mnew;
4455
4456	for (n = m, mpp = &m; n; n = n->m_next) {
4457	if (n->m_flags & M_EXT) {
4458	/*
4459	* Make a copy only if there are more than one references
4460	* to the cluster.
4461	* XXX: is this approach effective?
4462	*/
4463	if (
4464	m_get_ext_free(n) != NULL \|\|
4465	m_mclhasreference(n)
4466	)
4467	{
4468	int remain, copied;
4469	struct mbuf *mm;
4470
4471	if (n->m_flags & M_PKTHDR) {
4472	MGETHDR(mnew, M_DONTWAIT, MT_HEADER); / MAC-OK /
4473	if (mnew == NULL)
4474	goto fail;
4475	M_COPY_PKTHDR(mnew, n);
4476	}
4477	else {
4478	MGET(mnew, M_DONTWAIT, MT_DATA);
4479	if (mnew == NULL)
4480	goto fail;
4481	}
4482	mnew->m_len = `0`;
4483	mm = mnew;
4484
4485	/*
4486	* Copy data. If we don't have enough space to
4487	* store the whole data, allocate a cluster
4488	* or additional mbufs.
4489	* XXX: we don't use m_copyback(), since the
4490	* function does not use clusters and thus is
4491	* inefficient.
4492	*/
4493	remain = n->m_len;
4494	copied = `0`;
4495	while (`1`) {
4496	int len;
4497	struct mbuf *mn;
4498
4499	if (remain <= (mm->m_flags & M_PKTHDR ? MHLEN : MLEN))
4500	len = remain;
4501	else { / allocate a cluster /
4502	MCLGET(mm, M_DONTWAIT);
4503	if (!(mm->m_flags & M_EXT)) {
4504	m_free(mm);
4505	goto fail;
4506	}
4507	len = remain < MCLBYTES ?
4508	remain : MCLBYTES;
4509	}
4510
4511	bcopy(n->m_data + copied, mm->m_data,
4512	len);
4513
4514	copied += len;
4515	remain -= len;
4516	mm->m_len = len;
4517
4518	if (remain <= `0`) / completed? /
4519	break;
4520
4521	/ need another mbuf /
4522	MGETHDR(mn, M_DONTWAIT, MT_HEADER); / XXXMAC: tags copied next time in loop? /
4523	if (mn == NULL)
4524	goto fail;
4525	mn->m_pkthdr.rcvif = NULL;
4526	mm->m_next = mn;
4527	mm = mn;
4528	}
4529
4530	/ adjust chain /
4531	mm->m_next = m_free(n);
4532	n = mm;
4533	*mpp = mnew;
4534	mpp = &n->m_next;
4535
4536	continue;
4537	}
4538	}
4539	*mpp = n;
4540	mpp = &n->m_next;
4541	}
4542
4543	return(m);
4544	fail:
4545	m_freem(m);
4546	return(NULL);
4547	}
4548
4549	/*
4550	* Tags are allocated as mbufs for now, since our minimum size is MLEN, we
4551	* should make use of up to that much space.
4552	*/
4553	#define IPSEC_TAG_HEADER \
4554
4555	struct ipsec_tag {
4556	struct socket *socket;
4557	u_int32_t history_count;
4558	struct ipsec_history history[];
4559	#if __arm__ && (__BIGGEST_ALIGNMENT__ > 4)
4560	/ For the newer ARMv7k ABI where 64-bit types are 64-bit aligned, but pointers*
4561	* are 32-bit:
4562	* Aligning to 64-bit since we case to m_tag which is 64-bit aligned.
4563	*/
4564	} __attribute__ ((aligned(`8`)));
4565	#else
4566	};
4567	#endif
4568
4569	#define IPSEC_TAG_SIZE (MLEN - sizeof(struct m_tag))
4570	#define IPSEC_TAG_HDR_SIZE (offsetof(struct ipsec_tag, history[0]))
4571	#define IPSEC_HISTORY_MAX ((IPSEC_TAG_SIZE - IPSEC_TAG_HDR_SIZE) / \
4572	sizeof(struct ipsec_history))
4573
4574	static struct ipsec_tag *
4575	ipsec_addaux(
4576	struct mbuf *m)
4577	{
4578	struct m_tag *tag;
4579
4580	/ Check if the tag already exists /
4581	tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, NULL);
4582
4583	if (tag == NULL) {
4584	struct ipsec_tag *itag;
4585
4586	/ Allocate a tag /
4587	tag = m_tag_create(KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC,
4588	IPSEC_TAG_SIZE, M_DONTWAIT, m);
4589
4590	if (tag) {
4591	itag = (struct ipsec_tag*)(tag + `1`);
4592	itag->socket = `0`;
4593	itag->history_count = `0`;
4594
4595	m_tag_prepend(m, tag);
4596	}
4597	}
4598
4599	return tag ? (struct ipsec_tag*)(tag + `1`) : NULL;
4600	}
4601
4602	static struct ipsec_tag *
4603	ipsec_findaux(
4604	struct mbuf *m)
4605	{
4606	struct m_tag *tag;
4607
4608	tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, NULL);
4609
4610	return tag ? (struct ipsec_tag*)(tag + `1`) : NULL;
4611	}
4612
4613	void
4614	ipsec_delaux(
4615	struct mbuf *m)
4616	{
4617	struct m_tag *tag;
4618
4619	tag = m_tag_locate(m, KERNEL_MODULE_TAG_ID, KERNEL_TAG_TYPE_IPSEC, NULL);
4620
4621	if (tag) {
4622	m_tag_delete(m, tag);
4623	}
4624	}
4625
4626	/ if the aux buffer is unnecessary, nuke it. /
4627	static void
4628	ipsec_optaux(
4629	struct mbuf *m,
4630	struct ipsec_tag *itag)
4631	{
4632	if (itag && itag->socket == NULL && itag->history_count == `0`) {
4633	m_tag_delete(m, ((struct m_tag*)itag) - `1`);
4634	}
4635	}
4636
4637	int
4638	ipsec_setsocket(struct mbuf m, struct* socket *so)
4639	{
4640	struct ipsec_tag *tag;
4641
4642	/ if so == NULL, don't insist on getting the aux mbuf /
4643	if (so) {
4644	tag = ipsec_addaux(m);
4645	if (!tag)
4646	return ENOBUFS;
4647	} else
4648	tag = ipsec_findaux(m);
4649	if (tag) {
4650	tag->socket = so;
4651	ipsec_optaux(m, tag);
4652	}
4653	return `0`;
4654	}
4655
4656	struct socket *
4657	ipsec_getsocket(struct mbuf *m)
4658	{
4659	struct ipsec_tag *itag;
4660
4661	itag = ipsec_findaux(m);
4662	if (itag)
4663	return itag->socket;
4664	else
4665	return NULL;
4666	}
4667
4668	int
4669	ipsec_addhist(
4670	struct mbuf *m,
4671	int proto,
4672	u_int32_t spi)
4673	{
4674	struct ipsec_tag *itag;
4675	struct ipsec_history *p;
4676	itag = ipsec_addaux(m);
4677	if (!itag)
4678	return ENOBUFS;
4679	if (itag->history_count == IPSEC_HISTORY_MAX)
4680	return ENOSPC; / XXX /
4681
4682	p = &itag->history[itag->history_count];
4683	itag->history_count++;
4684
4685	bzero(p, sizeof(*p));
4686	p->ih_proto = proto;
4687	p->ih_spi = spi;
4688
4689	return `0`;
4690	}
4691
4692	struct ipsec_history *
4693	ipsec_gethist(
4694	struct mbuf *m,
4695	int *lenp)
4696	{
4697	struct ipsec_tag *itag;
4698
4699	itag = ipsec_findaux(m);
4700	if (!itag)
4701	return NULL;
4702	if (itag->history_count == `0`)
4703	return NULL;
4704	if (lenp)
4705	lenp = (int)(itag->history_count sizeof(struct ipsec_history));
4706	return itag->history;
4707	}
4708
4709	void
4710	ipsec_clearhist(
4711	struct mbuf *m)
4712	{
4713	struct ipsec_tag *itag;
4714
4715	itag = ipsec_findaux(m);
4716	if (itag) {
4717	itag->history_count = `0`;
4718	}
4719	ipsec_optaux(m, itag);
4720	}
4721
4722	__private_extern__ int
4723	ipsec_send_natt_keepalive(
4724	struct secasvar *sav)
4725	{
4726	struct mbuf *m;
4727	struct ip *ip;
4728	int error;
4729	struct ip_out_args ipoa;
4730	struct route ro;
4731	int keepalive_interval = natt_keepalive_interval;
4732
4733	bzero(&ipoa, sizeof(ipoa));
4734	ipoa.ipoa_boundif = IFSCOPE_NONE;
4735	ipoa.ipoa_flags = IPOAF_SELECT_SRCIF;
4736	ipoa.ipoa_sotc = SO_TC_UNSPEC;
4737	ipoa.ipoa_netsvctype = _NET_SERVICE_TYPE_UNSPEC;
4738
4739	LCK_MTX_ASSERT(sadb_mutex, LCK_MTX_ASSERT_NOTOWNED);
4740
4741	if ((esp_udp_encap_port & `0xFFFF`) == `0` \|\| sav->remote_ike_port == `0`) return FALSE;
4742
4743	if (sav->natt_interval != `0`) {
4744	keepalive_interval = (int)sav->natt_interval;
4745	}
4746
4747	// natt timestamp may have changed... reverify
4748	if ((natt_now - sav->natt_last_activity) < keepalive_interval) return FALSE;
4749
4750	if (sav->flags & SADB_X_EXT_ESP_KEEPALIVE) return FALSE; // don't send these from the kernel
4751
4752	m = m_gethdr(M_NOWAIT, MT_DATA);
4753	if (m == NULL) return FALSE;
4754
4755	ip = (__typeof__(ip))m_mtod(m);
4756
4757	// this sends one type of NATT keepalives (Type 1, ESP keepalives, aren't sent by kernel)
4758	if ((sav->flags & SADB_X_EXT_ESP_KEEPALIVE) == `0`) {
4759	struct udphdr *uh;
4760
4761	/*
4762	* Type 2: a UDP packet complete with IP header.
4763	* We must do this because UDP output requires
4764	* an inpcb which we don't have. UDP packet
4765	* contains one byte payload. The byte is set
4766	* to 0xFF.
4767	*/
4768	uh = (__typeof__(uh))(void )((char* )m_mtod(m) + sizeof(ip));
4769	m->m_len = sizeof(struct udpiphdr) + `1`;
4770	bzero(m_mtod(m), m->m_len);
4771	m->m_pkthdr.len = m->m_len;
4772
4773	ip->ip_len = m->m_len;
4774	ip->ip_ttl = ip_defttl;
4775	ip->ip_p = IPPROTO_UDP;
4776	if (sav->sah->dir != IPSEC_DIR_INBOUND) {
4777	ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr;
4778	ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr;
4779	} else {
4780	ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr;
4781	ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr;
4782	}
4783	uh->uh_sport = htons((u_short)esp_udp_encap_port);
4784	uh->uh_dport = htons(sav->remote_ike_port);
4785	uh->uh_ulen = htons(`1` + sizeof(*uh));
4786	uh->uh_sum = `0`;
4787	(u_int8_t)((char)m_mtod(m) + sizeof(ip) + sizeof(*uh)) = `0xFF`;
4788	}
4789
4790	// grab sadb_mutex, to get a local copy of sah's route cache
4791	lck_mtx_lock(sadb_mutex);
4792	if (ROUTE_UNUSABLE(&sav->sah->sa_route) \|\|
4793	rt_key(sav->sah->sa_route.ro_rt)->sa_family != AF_INET)
4794	ROUTE_RELEASE(&sav->sah->sa_route);
4795
4796	route_copyout(&ro, (struct route )&sav->sah->sa_route, sizeof(struct* route));
4797	lck_mtx_unlock(sadb_mutex);
4798
4799	necp_mark_packet_as_keepalive(m, TRUE);
4800
4801	error = ip_output(m, NULL, &ro, IP_OUTARGS \| IP_NOIPSEC, NULL, &ipoa);
4802
4803	// grab sadb_mutex, to synchronize the sah's route cache with the local copy
4804	lck_mtx_lock(sadb_mutex);
4805	route_copyin(&ro, (struct route )&sav->sah->sa_route, sizeof(struct* route));
4806	lck_mtx_unlock(sadb_mutex);
4807	if (error == `0`) {
4808	sav->natt_last_activity = natt_now;
4809	return TRUE;
4810	}
4811	return FALSE;
4812	}
4813
4814	__private_extern__ bool
4815	ipsec_fill_offload_frame(ifnet_t ifp,
4816	struct secasvar *sav,
4817	struct ifnet_keepalive_offload_frame *frame,
4818	size_t frame_data_offset)
4819	{
4820	u_int8_t *data = NULL;
4821	struct ip *ip = NULL;
4822	struct udphdr *uh = NULL;
4823
4824	if (sav == NULL \|\| sav->sah == NULL \|\| frame == NULL \|\|
4825	(ifp != NULL && ifp->if_index != sav->sah->outgoing_if) \|\|
4826	sav->sah->saidx.dst.ss_family != AF_INET \|\|
4827	!(sav->flags & SADB_X_EXT_NATT) \|\|
4828	!(sav->flags & SADB_X_EXT_NATT_KEEPALIVE) \|\|
4829	!(sav->flags & SADB_X_EXT_NATT_KEEPALIVE_OFFLOAD) \|\|
4830	sav->flags & SADB_X_EXT_ESP_KEEPALIVE \|\|
4831	(esp_udp_encap_port & `0xFFFF`) == `0` \|\|
4832	sav->remote_ike_port == `0` \|\|
4833	(natt_keepalive_interval == `0` && sav->natt_interval == `0` && sav->natt_offload_interval == `0`)) {
4834	/ SA is not eligible for keepalive offload on this interface /
4835	return (FALSE);
4836	}
4837
4838	if (frame_data_offset + sizeof(struct udpiphdr) + `1` >
4839	IFNET_KEEPALIVE_OFFLOAD_FRAME_DATA_SIZE) {
4840	/ Not enough room in this data frame /
4841	return (FALSE);
4842	}
4843
4844	data = frame->data;
4845	ip = (__typeof__(ip))(void *)(data + frame_data_offset);
4846	uh = (__typeof__(uh))(void )(data + frame_data_offset + sizeof(ip));
4847
4848	frame->length = frame_data_offset + sizeof(struct udpiphdr) + `1`;
4849	frame->type = IFNET_KEEPALIVE_OFFLOAD_FRAME_IPSEC;
4850	frame->ether_type = IFNET_KEEPALIVE_OFFLOAD_FRAME_ETHERTYPE_IPV4;
4851
4852	bzero(data, IFNET_KEEPALIVE_OFFLOAD_FRAME_DATA_SIZE);
4853
4854	ip->ip_v = IPVERSION;
4855	ip->ip_hl = sizeof(struct ip) >> `2`;
4856	ip->ip_off &= htons(~IP_OFFMASK);
4857	ip->ip_off &= htons(~IP_MF);
4858	switch (ip4_ipsec_dfbit) {
4859	case `0`: / clear DF bit /
4860	ip->ip_off &= htons(~IP_DF);
4861	break;
4862	case `1`: / set DF bit /
4863	ip->ip_off \|= htons(IP_DF);
4864	break;
4865	default: / copy DF bit /
4866	break;
4867	}
4868	ip->ip_len = htons(sizeof(struct udpiphdr) + `1`);
4869	if (rfc6864 && IP_OFF_IS_ATOMIC(htons(ip->ip_off))) {
4870	ip->ip_id = `0`;
4871	} else {
4872	ip->ip_id = ip_randomid();
4873	}
4874	ip->ip_ttl = ip_defttl;
4875	ip->ip_p = IPPROTO_UDP;
4876	ip->ip_sum = `0`;
4877	if (sav->sah->dir != IPSEC_DIR_INBOUND) {
4878	ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr;
4879	ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr;
4880	} else {
4881	ip->ip_src = ((struct sockaddr_in*)&sav->sah->saidx.dst)->sin_addr;
4882	ip->ip_dst = ((struct sockaddr_in*)&sav->sah->saidx.src)->sin_addr;
4883	}
4884	ip->ip_sum = in_cksum_hdr_opt(ip);
4885	uh->uh_sport = htons((u_short)esp_udp_encap_port);
4886	uh->uh_dport = htons(sav->remote_ike_port);
4887	uh->uh_ulen = htons(`1` + sizeof(*uh));
4888	uh->uh_sum = `0`;
4889	(u_int8_t)(data + frame_data_offset + sizeof(ip) + sizeof(uh)) = `0xFF`;
4890
4891	if (sav->natt_offload_interval != `0`) {
4892	frame->interval = sav->natt_offload_interval;
4893	} else if (sav->natt_interval != `0`) {
4894	frame->interval = sav->natt_interval;
4895	} else {
4896	frame->interval = natt_keepalive_interval;
4897	}
4898	return (TRUE);
4899	}
4900

Browse the source code of xnu/bsd/netinet6/ipsec.c