ipsec_output.c 28.3 KB
Newer Older
Sam Leffler's avatar
Sam Leffler committed
1
/*-
2
3
 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
 *
Sam Leffler's avatar
Sam Leffler committed
4
 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
5
 * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org>
Sam Leffler's avatar
Sam Leffler committed
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * $FreeBSD$
 */
31
32
33
34
35
36
37

/*
 * IPsec output processing.
 */
#include "opt_inet.h"
#include "opt_inet6.h"
#include "opt_ipsec.h"
38
#include "opt_sctp.h"
39
40
41
42
43
44
45
46

#include <sys/param.h>
#include <sys/systm.h>
#include <sys/mbuf.h>
#include <sys/domain.h>
#include <sys/protosw.h>
#include <sys/socket.h>
#include <sys/errno.h>
47
#include <sys/hhook.h>
48
49
50
#include <sys/syslog.h>

#include <net/if.h>
51
#include <net/if_enc.h>
52
#include <net/if_var.h>
53
#include <net/vnet.h>
54
55
56
57
58
59
60
61
62
63

#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_var.h>
#include <netinet/in_var.h>
#include <netinet/ip_ecn.h>
#ifdef INET6
#include <netinet6/ip6_ecn.h>
#endif
64
65
#include <netinet/ip_icmp.h>
#include <netinet/tcp_var.h>
66
67
68
69

#include <netinet/ip6.h>
#ifdef INET6
#include <netinet6/ip6_var.h>
70
#include <netinet6/scope6_var.h>
71
72
73
74
75
#endif
#include <netinet/in_pcb.h>
#ifdef INET6
#include <netinet/icmp6.h>
#endif
76
#if defined(SCTP) || defined(SCTP_SUPPORT)
77
78
#include <netinet/sctp_crc32.h>
#endif
79

80
81
82
#include <netinet/udp.h>
#include <netipsec/ah.h>
#include <netipsec/esp.h>
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
#include <netipsec/ipsec.h>
#ifdef INET6
#include <netipsec/ipsec6.h>
#endif
#include <netipsec/ah_var.h>
#include <netipsec/esp_var.h>
#include <netipsec/ipcomp_var.h>

#include <netipsec/xform.h>

#include <netipsec/key.h>
#include <netipsec/keydb.h>
#include <netipsec/key_debug.h>

#include <machine/in_cksum.h>

99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
#define	IPSEC_OSTAT_INC(proto, name)	do {		\
	if ((proto) == IPPROTO_ESP)	\
		ESPSTAT_INC(esps_##name);	\
	else if ((proto) == IPPROTO_AH)\
		AHSTAT_INC(ahs_##name);		\
	else					\
		IPCOMPSTAT_INC(ipcomps_##name);	\
} while (0)

static int ipsec_encap(struct mbuf **mp, struct secasindex *saidx);

#ifdef INET
static struct secasvar *
ipsec4_allocsa(struct mbuf *m, struct secpolicy *sp, u_int *pidx, int *error)
{
	struct secasindex *saidx, tmpsaidx;
	struct ipsecrequest *isr;
	struct sockaddr_in *sin;
	struct secasvar *sav;
	struct ip *ip;

	/*
	 * Check system global policy controls.
	 */
next:
	isr = sp->req[*pidx];
	if ((isr->saidx.proto == IPPROTO_ESP && !V_esp_enable) ||
	    (isr->saidx.proto == IPPROTO_AH && !V_ah_enable) ||
	    (isr->saidx.proto == IPPROTO_IPCOMP && !V_ipcomp_enable)) {
		DPRINTF(("%s: IPsec outbound packet dropped due"
			" to policy (check your sysctls)\n", __func__));
		IPSEC_OSTAT_INC(isr->saidx.proto, pdrops);
		*error = EHOSTUNREACH;
		return (NULL);
	}
	/*
	 * Craft SA index to search for proper SA.  Note that
	 * we only initialize unspecified SA peers for transport
	 * mode; for tunnel mode they must already be filled in.
	 */
	if (isr->saidx.mode == IPSEC_MODE_TRANSPORT) {
		saidx = &tmpsaidx;
		*saidx = isr->saidx;
		ip = mtod(m, struct ip *);
		if (saidx->src.sa.sa_len == 0) {
			sin = &saidx->src.sin;
			sin->sin_len = sizeof(*sin);
			sin->sin_family = AF_INET;
			sin->sin_port = IPSEC_PORT_ANY;
			sin->sin_addr = ip->ip_src;
		}
		if (saidx->dst.sa.sa_len == 0) {
			sin = &saidx->dst.sin;
			sin->sin_len = sizeof(*sin);
			sin->sin_family = AF_INET;
			sin->sin_port = IPSEC_PORT_ANY;
			sin->sin_addr = ip->ip_dst;
		}
	} else
		saidx = &sp->req[*pidx]->saidx;
	/*
	 * Lookup SA and validate it.
	 */
	sav = key_allocsa_policy(sp, saidx, error);
	if (sav == NULL) {
		IPSECSTAT_INC(ips_out_nosa);
		if (*error != 0)
			return (NULL);
		if (ipsec_get_reqlevel(sp, *pidx) != IPSEC_LEVEL_REQUIRE) {
			/*
			 * We have no SA and policy that doesn't require
			 * this IPsec transform, thus we can continue w/o
			 * IPsec processing, i.e. return EJUSTRETURN.
			 * But first check if there is some bundled transform.
			 */
			if (sp->tcount > ++(*pidx))
				goto next;
			*error = EJUSTRETURN;
		}
		return (NULL);
	}
	IPSEC_ASSERT(sav->tdb_xform != NULL, ("SA with NULL tdb_xform"));
	return (sav);
}

/*
 * IPsec output logic for IPv4.
 */
static int
188
189
ipsec4_perform_request(struct mbuf *m, struct secpolicy *sp,
    struct inpcb *inp, u_int idx)
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
{
	struct ipsec_ctx_data ctx;
	union sockaddr_union *dst;
	struct secasvar *sav;
	struct ip *ip;
	int error, i, off;

	IPSEC_ASSERT(idx < sp->tcount, ("Wrong IPsec request index %d", idx));

	/*
	 * We hold the reference to SP. Content of SP couldn't be changed.
	 * Craft secasindex and do lookup for suitable SA.
	 * Then do encapsulation if needed and call xform's output.
	 * We need to store SP in the xform callback parameters.
	 * In xform callback we will extract SP and it can be used to
	 * determine next transform. At the end of transform we can
	 * release reference to SP.
	 */
	sav = ipsec4_allocsa(m, sp, &idx, &error);
	if (sav == NULL) {
		if (error == EJUSTRETURN) { /* No IPsec required */
			key_freesp(&sp);
			return (error);
		}
		goto bad;
	}
	/*
	 * XXXAE: most likely ip_sum at this point is wrong.
	 */
219
	IPSEC_INIT_CTX(&ctx, &m, inp, sav, AF_INET, IPSEC_ENC_BEFORE);
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0)
		goto bad;

	ip = mtod(m, struct ip *);
	dst = &sav->sah->saidx.dst;
	/* Do the appropriate encapsulation, if necessary */
	if (sp->req[idx]->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */
	    dst->sa.sa_family != AF_INET ||	    /* PF mismatch */
	    (dst->sa.sa_family == AF_INET &&	    /* Proxy */
	     dst->sin.sin_addr.s_addr != INADDR_ANY &&
	     dst->sin.sin_addr.s_addr != ip->ip_dst.s_addr)) {
		/* Fix IPv4 header checksum and length */
		ip->ip_len = htons(m->m_pkthdr.len);
		ip->ip_sum = 0;
		ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
		error = ipsec_encap(&m, &sav->sah->saidx);
		if (error != 0) {
237
238
239
			DPRINTF(("%s: encapsulation for SPI 0x%08x failed "
			    "with error %d\n", __func__, ntohl(sav->spi),
			    error));
240
241
242
			/* XXXAE: IPSEC_OSTAT_INC(tunnel); */
			goto bad;
		}
243
		inp = NULL;
244
245
	}

246
	IPSEC_INIT_CTX(&ctx, &m, inp, sav, dst->sa.sa_family, IPSEC_ENC_AFTER);
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0)
		goto bad;

	/*
	 * Dispatch to the appropriate IPsec transform logic.  The
	 * packet will be returned for transmission after crypto
	 * processing, etc. are completed.
	 *
	 * NB: m & sav are ``passed to caller'' who's responsible for
	 *     reclaiming their resources.
	 */
	switch(dst->sa.sa_family) {
	case AF_INET:
		ip = mtod(m, struct ip *);
		i = ip->ip_hl << 2;
		off = offsetof(struct ip, ip_p);
		break;
#ifdef INET6
	case AF_INET6:
		i = sizeof(struct ip6_hdr);
		off = offsetof(struct ip6_hdr, ip6_nxt);
		break;
#endif /* INET6 */
	default:
		DPRINTF(("%s: unsupported protocol family %u\n",
		    __func__, dst->sa.sa_family));
		error = EPFNOSUPPORT;
		IPSEC_OSTAT_INC(sav->sah->saidx.proto, nopf);
		goto bad;
	}
	error = (*sav->tdb_xform->xf_output)(m, sp, sav, idx, i, off);
	return (error);
bad:
	IPSECSTAT_INC(ips_out_inval);
	if (m != NULL)
		m_freem(m);
	if (sav != NULL)
		key_freesav(&sav);
	key_freesp(&sp);
	return (error);
}

int
ipsec4_process_packet(struct mbuf *m, struct secpolicy *sp,
    struct inpcb *inp)
{

294
	return (ipsec4_perform_request(m, sp, inp, 0));
295
296
}

297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
int
ipsec4_check_pmtu(struct mbuf *m, struct secpolicy *sp, int forwarding)
{
	union sockaddr_union *dst;
	struct in_conninfo inc;
	struct secasvar *sav;
	struct ip *ip;
	size_t hlen, pmtu;
	uint32_t idx;
	int error;

	/* Don't check PMTU if the frame won't have DF bit set. */
	if (!V_ip4_ipsec_dfbit)
		return (0);
	if (V_ip4_ipsec_dfbit == 1)
		goto setdf;

	/* V_ip4_ipsec_dfbit > 1 - we will copy it from inner header. */
	ip = mtod(m, struct ip *);
	if (!(ip->ip_off & htons(IP_DF)))
		return (0);

setdf:
	idx = sp->tcount - 1;
	sav = ipsec4_allocsa(m, sp, &idx, &error);
	if (sav == NULL) {
		key_freesp(&sp);
324
325
326
327
328
329
		/*
		 * No matching SA was found and SADB_ACQUIRE message was generated.
		 * Since we have matched a SP to this packet drop it silently.
		 */
		if (error == 0)
			error = EINPROGRESS;
330
331
332
333
334
335
336
		if (error != EJUSTRETURN)
			m_freem(m);

		return (error);
	}

	dst = &sav->sah->saidx.dst;
337
338
339
340
341
342
343
344
345
346
347
348
	memset(&inc, 0, sizeof(inc));
	switch (dst->sa.sa_family) {
	case AF_INET:
		inc.inc_faddr = satosin(&dst->sa)->sin_addr;
		break;
#ifdef INET6
	case AF_INET6:
		inc.inc6_faddr = satosin6(&dst->sa)->sin6_addr;
		inc.inc_flags |= INC_ISIPV6;
		break;
#endif
	default:
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
		key_freesav(&sav);
		return (0);
	}

	key_freesav(&sav);
	pmtu = tcp_hc_getmtu(&inc);
	/* No entry in hostcache. */
	if (pmtu == 0)
		return (0);

	hlen = ipsec_hdrsiz_internal(sp);
	if (m_length(m, NULL) + hlen > pmtu) {
		/*
		 * If we're forwarding generate ICMP message here,
		 * so that it contains pmtu and not link mtu.
		 * Set error to EINPROGRESS, in order for the frame
		 * to be dropped silently.
		 */
		if (forwarding) {
			if (pmtu > hlen)
				icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG,
				    0, pmtu - hlen);
			else
				m_freem(m);

			key_freesp(&sp);
			return (EINPROGRESS); /* Pretend that we consumed it. */
		} else {
			m_freem(m);
			key_freesp(&sp);
			return (EMSGSIZE);
		}
	}

	return (0);
}

386
387
388
389
390
391
392
static int
ipsec4_common_output(struct mbuf *m, struct inpcb *inp, int forwarding)
{
	struct secpolicy *sp;
	int error;

	/* Lookup for the corresponding outbound security policy */
393
	sp = ipsec4_checkpolicy(m, inp, &error, !forwarding);
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
	if (sp == NULL) {
		if (error == -EINVAL) {
			/* Discarded by policy. */
			m_freem(m);
			return (EACCES);
		}
		return (0); /* No IPsec required. */
	}

	/*
	 * Usually we have to have tunnel mode IPsec security policy
	 * when we are forwarding a packet. Otherwise we could not handle
	 * encrypted replies, because they are not destined for us. But
	 * some users are doing source address translation for forwarded
	 * packets, and thus, even if they are forwarded, the replies will
	 * return back to us.
	 */
	if (!forwarding) {
		/*
		 * Do delayed checksums now because we send before
		 * this is done in the normal processing path.
		 */
		if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
417
418
419
420
421
422
			m = mb_unmapped_to_ext(m);
			if (m == NULL) {
				IPSECSTAT_INC(ips_out_nomem);
				key_freesp(&sp);
				return (ENOBUFS);
			}
423
424
425
			in_delayed_cksum(m);
			m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
		}
426
#if defined(SCTP) || defined(SCTP_SUPPORT)
427
		if (m->m_pkthdr.csum_flags & CSUM_SCTP) {
428
			struct ip *ip;
429

430
431
432
433
434
435
436
			m = mb_unmapped_to_ext(m);
			if (m == NULL) {
				IPSECSTAT_INC(ips_out_nomem);
				key_freesp(&sp);
				return (ENOBUFS);
			}
			ip = mtod(m, struct ip *);
437
438
439
			sctp_delayed_cksum(m, (uint32_t)(ip->ip_hl << 2));
			m->m_pkthdr.csum_flags &= ~CSUM_SCTP;
		}
440
#endif
441
442
	}
	/* NB: callee frees mbuf and releases reference to SP */
443
444
445
446
447
448
449
450
	error = ipsec4_check_pmtu(m, sp, forwarding);
	if (error != 0) {
		if (error == EJUSTRETURN)
			return (0);

		return (error);
	}

451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
	error = ipsec4_process_packet(m, sp, inp);
	if (error == EJUSTRETURN) {
		/*
		 * We had a SP with a level of 'use' and no SA. We
		 * will just continue to process the packet without
		 * IPsec processing and return without error.
		 */
		return (0);
	}
	if (error == 0)
		return (EINPROGRESS); /* consumed by IPsec */
	return (error);
}

/*
 * IPSEC_OUTPUT() method implementation for IPv4.
 * 0 - no IPsec handling needed
 * other values - mbuf consumed by IPsec.
 */
int
ipsec4_output(struct mbuf *m, struct inpcb *inp)
{

	/*
	 * If the packet is resubmitted to ip_output (e.g. after
	 * AH, ESP, etc. processing), there will be a tag to bypass
	 * the lookup and related policy checking.
	 */
	if (m_tag_find(m, PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL)
		return (0);

	return (ipsec4_common_output(m, inp, 0));
}

/*
 * IPSEC_FORWARD() method implementation for IPv4.
 * 0 - no IPsec handling needed
 * other values - mbuf consumed by IPsec.
 */
int
ipsec4_forward(struct mbuf *m)
{

	/*
	 * Check if this packet has an active inbound SP and needs to be
	 * dropped instead of forwarded.
	 */
	if (ipsec4_in_reject(m, NULL) != 0) {
		m_freem(m);
		return (EACCES);
	}
	return (ipsec4_common_output(m, NULL, 1));
}
#endif

#ifdef INET6
static int
in6_sa_equal_addrwithscope(const struct sockaddr_in6 *sa,
    const struct in6_addr *ia)
{
	struct in6_addr ia2;

	if (IN6_IS_SCOPE_LINKLOCAL(&sa->sin6_addr)) {
		memcpy(&ia2, &sa->sin6_addr, sizeof(ia2));
		ia2.s6_addr16[1] = htons(sa->sin6_scope_id);
		return (IN6_ARE_ADDR_EQUAL(ia, &ia2));
	}
	return (IN6_ARE_ADDR_EQUAL(&sa->sin6_addr, ia));
}

static struct secasvar *
ipsec6_allocsa(struct mbuf *m, struct secpolicy *sp, u_int *pidx, int *error)
{
	struct secasindex *saidx, tmpsaidx;
	struct ipsecrequest *isr;
	struct sockaddr_in6 *sin6;
	struct secasvar *sav;
	struct ip6_hdr *ip6;

	/*
	 * Check system global policy controls.
	 */
next:
	isr = sp->req[*pidx];
	if ((isr->saidx.proto == IPPROTO_ESP && !V_esp_enable) ||
	    (isr->saidx.proto == IPPROTO_AH && !V_ah_enable) ||
	    (isr->saidx.proto == IPPROTO_IPCOMP && !V_ipcomp_enable)) {
		DPRINTF(("%s: IPsec outbound packet dropped due"
			" to policy (check your sysctls)\n", __func__));
		IPSEC_OSTAT_INC(isr->saidx.proto, pdrops);
		*error = EHOSTUNREACH;
		return (NULL);
	}
	/*
	 * Craft SA index to search for proper SA.  Note that
	 * we only fillin unspecified SA peers for transport
	 * mode; for tunnel mode they must already be filled in.
	 */
	if (isr->saidx.mode == IPSEC_MODE_TRANSPORT) {
		saidx = &tmpsaidx;
		*saidx = isr->saidx;
		ip6 = mtod(m, struct ip6_hdr *);
		if (saidx->src.sin6.sin6_len == 0) {
			sin6 = (struct sockaddr_in6 *)&saidx->src;
			sin6->sin6_len = sizeof(*sin6);
			sin6->sin6_family = AF_INET6;
			sin6->sin6_port = IPSEC_PORT_ANY;
			sin6->sin6_addr = ip6->ip6_src;
			if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
				/* fix scope id for comparing SPD */
				sin6->sin6_addr.s6_addr16[1] = 0;
				sin6->sin6_scope_id =
				    ntohs(ip6->ip6_src.s6_addr16[1]);
			}
		}
		if (saidx->dst.sin6.sin6_len == 0) {
			sin6 = (struct sockaddr_in6 *)&saidx->dst;
			sin6->sin6_len = sizeof(*sin6);
			sin6->sin6_family = AF_INET6;
			sin6->sin6_port = IPSEC_PORT_ANY;
			sin6->sin6_addr = ip6->ip6_dst;
			if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
				/* fix scope id for comparing SPD */
				sin6->sin6_addr.s6_addr16[1] = 0;
				sin6->sin6_scope_id =
				    ntohs(ip6->ip6_dst.s6_addr16[1]);
			}
		}
	} else
		saidx = &sp->req[*pidx]->saidx;
	/*
	 * Lookup SA and validate it.
	 */
	sav = key_allocsa_policy(sp, saidx, error);
	if (sav == NULL) {
		IPSEC6STAT_INC(ips_out_nosa);
		if (*error != 0)
			return (NULL);
		if (ipsec_get_reqlevel(sp, *pidx) != IPSEC_LEVEL_REQUIRE) {
			/*
			 * We have no SA and policy that doesn't require
			 * this IPsec transform, thus we can continue w/o
			 * IPsec processing, i.e. return EJUSTRETURN.
			 * But first check if there is some bundled transform.
			 */
			if (sp->tcount > ++(*pidx))
				goto next;
			*error = EJUSTRETURN;
		}
		return (NULL);
	}
	IPSEC_ASSERT(sav->tdb_xform != NULL, ("SA with NULL tdb_xform"));
	return (sav);
}

/*
 * IPsec output logic for IPv6.
 */
static int
610
611
ipsec6_perform_request(struct mbuf *m, struct secpolicy *sp,
    struct inpcb *inp, u_int idx)
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
{
	struct ipsec_ctx_data ctx;
	union sockaddr_union *dst;
	struct secasvar *sav;
	struct ip6_hdr *ip6;
	int error, i, off;

	IPSEC_ASSERT(idx < sp->tcount, ("Wrong IPsec request index %d", idx));

	sav = ipsec6_allocsa(m, sp, &idx, &error);
	if (sav == NULL) {
		if (error == EJUSTRETURN) { /* No IPsec required */
			key_freesp(&sp);
			return (error);
		}
		goto bad;
	}

	/* Fix IP length in case if it is not set yet. */
	ip6 = mtod(m, struct ip6_hdr *);
	ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6));

634
	IPSEC_INIT_CTX(&ctx, &m, inp, sav, AF_INET6, IPSEC_ENC_BEFORE);
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0)
		goto bad;

	ip6 = mtod(m, struct ip6_hdr *); /* pfil can change mbuf */
	dst = &sav->sah->saidx.dst;

	/* Do the appropriate encapsulation, if necessary */
	if (sp->req[idx]->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */
	    dst->sa.sa_family != AF_INET6 ||        /* PF mismatch */
	    ((dst->sa.sa_family == AF_INET6) &&
	     (!IN6_IS_ADDR_UNSPECIFIED(&dst->sin6.sin6_addr)) &&
	     (!in6_sa_equal_addrwithscope(&dst->sin6, &ip6->ip6_dst)))) {
		if (m->m_pkthdr.len - sizeof(*ip6) > IPV6_MAXPACKET) {
			/* No jumbogram support. */
			error = ENXIO;   /*XXX*/
			goto bad;
		}
		error = ipsec_encap(&m, &sav->sah->saidx);
		if (error != 0) {
654
655
656
			DPRINTF(("%s: encapsulation for SPI 0x%08x failed "
			    "with error %d\n", __func__, ntohl(sav->spi),
			    error));
657
658
659
			/* XXXAE: IPSEC_OSTAT_INC(tunnel); */
			goto bad;
		}
660
		inp = NULL;
661
662
	}

663
	IPSEC_INIT_CTX(&ctx, &m, inp, sav, dst->sa.sa_family, IPSEC_ENC_AFTER);
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0)
		goto bad;

	switch(dst->sa.sa_family) {
#ifdef INET
	case AF_INET:
		{
		struct ip *ip;
		ip = mtod(m, struct ip *);
		i = ip->ip_hl << 2;
		off = offsetof(struct ip, ip_p);
		}
		break;
#endif /* AF_INET */
	case AF_INET6:
		i = sizeof(struct ip6_hdr);
		off = offsetof(struct ip6_hdr, ip6_nxt);
		break;
	default:
		DPRINTF(("%s: unsupported protocol family %u\n",
				 __func__, dst->sa.sa_family));
		error = EPFNOSUPPORT;
		IPSEC_OSTAT_INC(sav->sah->saidx.proto, nopf);
		goto bad;
	}
	error = (*sav->tdb_xform->xf_output)(m, sp, sav, idx, i, off);
	return (error);
bad:
	IPSEC6STAT_INC(ips_out_inval);
	if (m != NULL)
		m_freem(m);
	if (sav != NULL)
		key_freesav(&sav);
	key_freesp(&sp);
	return (error);
}

int
ipsec6_process_packet(struct mbuf *m, struct secpolicy *sp,
    struct inpcb *inp)
{

706
	return (ipsec6_perform_request(m, sp, inp, 0));
707
708
709
710
711
712
713
714
715
}

static int
ipsec6_common_output(struct mbuf *m, struct inpcb *inp, int forwarding)
{
	struct secpolicy *sp;
	int error;

	/* Lookup for the corresponding outbound security policy */
716
	sp = ipsec6_checkpolicy(m, inp, &error, !forwarding);
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
	if (sp == NULL) {
		if (error == -EINVAL) {
			/* Discarded by policy. */
			m_freem(m);
			return (EACCES);
		}
		return (0); /* No IPsec required. */
	}

	if (!forwarding) {
		/*
		 * Do delayed checksums now because we send before
		 * this is done in the normal processing path.
		 */
		if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) {
732
733
734
735
736
737
			m = mb_unmapped_to_ext(m);
			if (m == NULL) {
				IPSEC6STAT_INC(ips_out_nomem);
				key_freesp(&sp);
				return (ENOBUFS);
			}
738
739
			in6_delayed_cksum(m, m->m_pkthdr.len -
			    sizeof(struct ip6_hdr), sizeof(struct ip6_hdr));
740
			m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6;
741
		}
742
#if defined(SCTP) || defined(SCTP_SUPPORT)
743
		if (m->m_pkthdr.csum_flags & CSUM_SCTP_IPV6) {
744
745
746
747
748
749
			m = mb_unmapped_to_ext(m);
			if (m == NULL) {
				IPSEC6STAT_INC(ips_out_nomem);
				key_freesp(&sp);
				return (ENOBUFS);
			}
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
			sctp_delayed_cksum(m, sizeof(struct ip6_hdr));
			m->m_pkthdr.csum_flags &= ~CSUM_SCTP_IPV6;
		}
#endif
	}
	/* NB: callee frees mbuf and releases reference to SP */
	error = ipsec6_process_packet(m, sp, inp);
	if (error == EJUSTRETURN) {
		/*
		 * We had a SP with a level of 'use' and no SA. We
		 * will just continue to process the packet without
		 * IPsec processing and return without error.
		 */
		return (0);
	}
	if (error == 0)
		return (EINPROGRESS); /* consumed by IPsec */
	return (error);
}

/*
 * IPSEC_OUTPUT() method implementation for IPv6.
 * 0 - no IPsec handling needed
 * other values - mbuf consumed by IPsec.
 */
int
ipsec6_output(struct mbuf *m, struct inpcb *inp)
{

	/*
	 * If the packet is resubmitted to ip_output (e.g. after
	 * AH, ESP, etc. processing), there will be a tag to bypass
	 * the lookup and related policy checking.
	 */
	if (m_tag_find(m, PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL)
		return (0);

	return (ipsec6_common_output(m, inp, 0));
}

/*
 * IPSEC_FORWARD() method implementation for IPv6.
 * 0 - no IPsec handling needed
 * other values - mbuf consumed by IPsec.
 */
int
ipsec6_forward(struct mbuf *m)
{

	/*
	 * Check if this packet has an active inbound SP and needs to be
	 * dropped instead of forwarded.
	 */
	if (ipsec6_in_reject(m, NULL) != 0) {
		m_freem(m);
		return (EACCES);
	}
	return (ipsec6_common_output(m, NULL, 1));
}
#endif /* INET6 */
810

811
int
812
813
ipsec_process_done(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
    u_int idx)
814
{
815
	struct epoch_tracker et;
816
	struct xform_history *xh;
817
	struct secasindex *saidx;
818
	struct m_tag *mtag;
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
	int error;

	saidx = &sav->sah->saidx;
	switch (saidx->dst.sa.sa_family) {
#ifdef INET
	case AF_INET:
		/* Fix the header length, for AH processing. */
		mtod(m, struct ip *)->ip_len = htons(m->m_pkthdr.len);
		break;
#endif /* INET */
#ifdef INET6
	case AF_INET6:
		/* Fix the header length, for AH processing. */
		if (m->m_pkthdr.len < sizeof (struct ip6_hdr)) {
			error = ENXIO;
			goto bad;
		}
		if (m->m_pkthdr.len - sizeof (struct ip6_hdr) > IPV6_MAXPACKET) {
			/* No jumbogram support. */
			error = ENXIO;	/*?*/
			goto bad;
		}
		mtod(m, struct ip6_hdr *)->ip6_plen =
			htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
		break;
#endif /* INET6 */
	default:
846
		DPRINTF(("%s: unknown protocol family %u\n", __func__,
847
848
849
850
851
852
		    saidx->dst.sa.sa_family));
		error = ENXIO;
		goto bad;
	}

	/*
853
	 * Add a record of what we've done to the packet.
854
	 */
855
	mtag = m_tag_get(PACKET_TAG_IPSEC_OUT_DONE, sizeof(*xh), M_NOWAIT);
856
	if (mtag == NULL) {
857
		DPRINTF(("%s: could not get packet tag\n", __func__));
858
859
860
861
		error = ENOMEM;
		goto bad;
	}

862
863
864
865
866
	xh = (struct xform_history *)(mtag + 1);
	xh->dst = saidx->dst;
	xh->proto = saidx->proto;
	xh->mode = saidx->mode;
	xh->spi = sav->spi;
867
868
	m_tag_prepend(m, mtag);

869
870
	key_sa_recordxfer(sav, m);		/* record data transfer */

871
872
873
874
875
876
877
	/*
	 * If there's another (bundled) SA to apply, do so.
	 * Note that this puts a burden on the kernel stack size.
	 * If this is a problem we'll need to introduce a queue
	 * to set the packet on so we can unwind the stack before
	 * doing further processing.
	 */
878
	if (++idx < sp->tcount) {
879
880
881
		switch (saidx->dst.sa.sa_family) {
#ifdef INET
		case AF_INET:
882
			key_freesav(&sav);
883
			IPSECSTAT_INC(ips_out_bundlesa);
884
			return (ipsec4_perform_request(m, sp, NULL, idx));
885
886
887
888
			/* NOTREACHED */
#endif
#ifdef INET6
		case AF_INET6:
889
			key_freesav(&sav);
890
			IPSEC6STAT_INC(ips_out_bundlesa);
891
			return (ipsec6_perform_request(m, sp, NULL, idx));
892
893
894
895
896
			/* NOTREACHED */
#endif /* INET6 */
		default:
			DPRINTF(("%s: unknown protocol family %u\n", __func__,
			    saidx->dst.sa.sa_family));
897
			error = EPFNOSUPPORT;
898
899
			goto bad;
		}
900
901
	}

902
903
904
905
906
907
908
909
910
911
912
	key_freesp(&sp), sp = NULL;	/* Release reference to SP */
#ifdef INET
	/*
	 * Do UDP encapsulation if SA requires it.
	 */
	if (sav->natt != NULL) {
		error = udp_ipsec_output(m, sav);
		if (error != 0)
			goto bad;
	}
#endif /* INET */
913
914
	/*
	 * We're done with IPsec processing, transmit the packet using the
915
	 * appropriate network protocol (IP or IPv6).
916
	 */
917
	NET_EPOCH_ENTER(et);
918
919
920
	switch (saidx->dst.sa.sa_family) {
#ifdef INET
	case AF_INET:
921
		key_freesav(&sav);
922
923
		error = ip_output(m, NULL, NULL, IP_RAWOUTPUT, NULL, NULL);
		break;
924
925
926
#endif /* INET */
#ifdef INET6
	case AF_INET6:
927
		key_freesav(&sav);
928
929
		error = ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL);
		break;
930
#endif /* INET6 */
931
932
	default:
		panic("ipsec_process_done");
933
	}
934
935
	NET_EPOCH_EXIT(et);
	return (error);
936
937
bad:
	m_freem(m);
938
939
940
	key_freesav(&sav);
	if (sp != NULL)
		key_freesp(&sp);
941
942
943
	return (error);
}

944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
/*
 * ipsec_prepend() is optimized version of M_PREPEND().
 * ipsec_encap() is called by IPsec output routine for tunnel mode SA.
 * It is expected that after IP encapsulation some IPsec transform will
 * be performed. Each IPsec transform inserts its variable length header
 * just after outer IP header using m_makespace(). If given mbuf has not
 * enough free space at the beginning, we allocate new mbuf and reserve
 * some space at the beginning and at the end.
 * This helps avoid allocating of new mbuf and data copying in m_makespace(),
 * we place outer header in the middle of mbuf's data with reserved leading
 * and trailing space:
 *	[ LEADINGSPACE ][ Outer IP header ][ TRAILINGSPACE ]
 * LEADINGSPACE will be used to add ethernet header, TRAILINGSPACE will
 * be used to inject AH/ESP/IPCOMP header.
 */
#define	IPSEC_TRAILINGSPACE	(sizeof(struct udphdr) +/* NAT-T */	\
    max(sizeof(struct newesp) + EALG_MAX_BLOCK_LEN,	/* ESP + IV */	\
	sizeof(struct newah) + HASH_MAX_LEN		/* AH + ICV */))
static struct mbuf *
ipsec_prepend(struct mbuf *m, int len, int how)
964
{
965
966
967
968
969
970
971
972
973
974
	struct mbuf *n;

	M_ASSERTPKTHDR(m);
	IPSEC_ASSERT(len < MHLEN, ("wrong length"));
	if (M_LEADINGSPACE(m) >= len) {
		/* No need to allocate new mbuf. */
		m->m_data -= len;
		m->m_len += len;
		m->m_pkthdr.len += len;
		return (m);
975
	}
976
977
978
979
	n = m_gethdr(how, m->m_type);
	if (n == NULL) {
		m_freem(m);
		return (NULL);
980
	}
981
982
983
984
985
986
987
	m_move_pkthdr(n, m);
	n->m_next = m;
	if (len + IPSEC_TRAILINGSPACE < M_SIZE(n))
		m_align(n, len + IPSEC_TRAILINGSPACE);
	n->m_len = len;
	n->m_pkthdr.len += len;
	return (n);
988
989
}

990
991
992
993
994
995
996
997
998
999
1000
static int
ipsec_encap(struct mbuf **mp, struct secasindex *saidx)
{
#ifdef INET6
	struct ip6_hdr *ip6;
#endif
	struct ip *ip;
	int setdf;
	uint8_t itos, proto;

	ip = mtod(*mp, struct ip *);
For faster browsing, not all history is shown. View entire blame