2 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * $FreeBSD: src/sys/netipsec/ipsec_output.c,v 1.3.2.2 2003/03/28 20:32:53 sam Exp $
27 * $DragonFly: src/sys/netproto/ipsec/ipsec_output.c,v 1.7 2005/06/03 00:22:27 hmp Exp $
31 * IPsec output processing.
34 #include "opt_inet6.h"
35 #include "opt_ipsec.h"
37 #include <sys/param.h>
38 #include <sys/systm.h>
40 #include <sys/domain.h>
41 #include <sys/protosw.h>
42 #include <sys/socket.h>
43 #include <sys/errno.h>
44 #include <sys/syslog.h>
45 #include <sys/in_cksum.h>
48 #include <net/route.h>
50 #include <netinet/in.h>
51 #include <netinet/in_systm.h>
52 #include <netinet/ip.h>
53 #include <netinet/ip_var.h>
54 #include <netinet/in_var.h>
55 #include <netinet/ip_ecn.h>
57 #include <netinet6/ip6_ecn.h>
60 #include <netinet/ip6.h>
62 #include <netinet6/ip6_var.h>
64 #include <netinet/in_pcb.h>
66 #include <netinet/icmp6.h>
69 #include <netproto/ipsec/ipsec.h>
71 #include <netproto/ipsec/ipsec6.h>
73 #include <netproto/ipsec/ah_var.h>
74 #include <netproto/ipsec/esp_var.h>
75 #include <netproto/ipsec/ipcomp_var.h>
77 #include <netproto/ipsec/xform.h>
79 #include <netproto/ipsec/key.h>
80 #include <netproto/ipsec/keydb.h>
81 #include <netproto/ipsec/key_debug.h>
84 ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
86 struct tdb_ident *tdbi;
89 struct secasindex *saidx;
92 SPLASSERT(net, "ipsec_process_done");
94 KASSERT(m != NULL, ("ipsec_process_done: null mbuf"));
95 KASSERT(isr != NULL, ("ipsec_process_done: null ISR"));
97 KASSERT(sav != NULL, ("ipsec_process_done: null SA"));
98 KASSERT(sav->sah != NULL, ("ipsec_process_done: null SAH"));
100 saidx = &sav->sah->saidx;
101 switch (saidx->dst.sa.sa_family) {
104 /* Fix the header length, for AH processing. */
105 mtod(m, struct ip *)->ip_len = htons(m->m_pkthdr.len);
110 /* Fix the header length, for AH processing. */
111 if (m->m_pkthdr.len < sizeof (struct ip6_hdr)) {
115 if (m->m_pkthdr.len - sizeof (struct ip6_hdr) > IPV6_MAXPACKET) {
116 /* No jumbogram support. */
120 mtod(m, struct ip6_hdr *)->ip6_plen =
121 htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
125 DPRINTF(("ipsec_process_done: unknown protocol family %u\n",
126 saidx->dst.sa.sa_family));
132 * Add a record of what we've done or what needs to be done to the
135 mtag = m_tag_get(PACKET_TAG_IPSEC_OUT_DONE,
136 sizeof(struct tdb_ident), M_NOWAIT);
138 DPRINTF(("ipsec_process_done: could not get packet tag\n"));
143 tdbi = (struct tdb_ident *)(mtag + 1);
144 tdbi->dst = saidx->dst;
145 tdbi->proto = saidx->proto;
146 tdbi->spi = sav->spi;
147 m_tag_prepend(m, mtag);
150 * If there's another (bundled) SA to apply, do so.
151 * Note that this puts a burden on the kernel stack size.
152 * If this is a problem we'll need to introduce a queue
153 * to set the packet on so we can unwind the stack before
154 * doing further processing.
157 newipsecstat.ips_out_bundlesa++;
158 return ipsec4_process_packet(m, isr->next, 0, 0);
162 * We're done with IPsec processing, transmit the packet using the
163 * appropriate network protocol (IP or IPv6). SPD lookup will be
164 * performed again there.
166 switch (saidx->dst.sa.sa_family) {
170 ip = mtod(m, struct ip *);
171 ip->ip_len = ntohs(ip->ip_len);
172 ip->ip_off = ntohs(ip->ip_off);
174 return ip_output(m, NULL, NULL, IP_RAWOUTPUT, NULL, NULL);
179 * We don't need massage, IPv6 header fields are always in
182 return ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL);
185 panic("ipsec_process_done");
192 static struct ipsecrequest *
195 struct ipsecrequest *isr,
197 struct secasindex *saidx,
201 #define IPSEC_OSTAT(x,y,z) (isr->saidx.proto == IPPROTO_ESP ? (x)++ : \
202 isr->saidx.proto == IPPROTO_AH ? (y)++ : (z)++)
203 struct secasvar *sav;
205 SPLASSERT(net, "ipsec_nextisr");
206 KASSERT(af == AF_INET || af == AF_INET6,
207 ("ipsec_nextisr: invalid address family %u", af));
210 * Craft SA index to search for proper SA. Note that
211 * we only fillin unspecified SA peers for transport
212 * mode; for tunnel mode they must already be filled in.
215 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT) {
216 /* Fillin unspecified SA peers only for transport mode */
218 struct sockaddr_in *sin;
219 struct ip *ip = mtod(m, struct ip *);
221 if (saidx->src.sa.sa_len == 0) {
222 sin = &saidx->src.sin;
223 sin->sin_len = sizeof(*sin);
224 sin->sin_family = AF_INET;
225 sin->sin_port = IPSEC_PORT_ANY;
226 sin->sin_addr = ip->ip_src;
228 if (saidx->dst.sa.sa_len == 0) {
229 sin = &saidx->dst.sin;
230 sin->sin_len = sizeof(*sin);
231 sin->sin_family = AF_INET;
232 sin->sin_port = IPSEC_PORT_ANY;
233 sin->sin_addr = ip->ip_dst;
236 struct sockaddr_in6 *sin6;
237 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
239 if (saidx->src.sin6.sin6_len == 0) {
240 sin6 = (struct sockaddr_in6 *)&saidx->src;
241 sin6->sin6_len = sizeof(*sin6);
242 sin6->sin6_family = AF_INET6;
243 sin6->sin6_port = IPSEC_PORT_ANY;
244 sin6->sin6_addr = ip6->ip6_src;
245 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
246 /* fix scope id for comparing SPD */
247 sin6->sin6_addr.s6_addr16[1] = 0;
248 sin6->sin6_scope_id =
249 ntohs(ip6->ip6_src.s6_addr16[1]);
252 if (saidx->dst.sin6.sin6_len == 0) {
253 sin6 = (struct sockaddr_in6 *)&saidx->dst;
254 sin6->sin6_len = sizeof(*sin6);
255 sin6->sin6_family = AF_INET6;
256 sin6->sin6_port = IPSEC_PORT_ANY;
257 sin6->sin6_addr = ip6->ip6_dst;
258 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
259 /* fix scope id for comparing SPD */
260 sin6->sin6_addr.s6_addr16[1] = 0;
261 sin6->sin6_scope_id =
262 ntohs(ip6->ip6_dst.s6_addr16[1]);
269 * Lookup SA and validate it.
271 *error = key_checkrequest(isr, saidx);
274 * IPsec processing is required, but no SA found.
275 * I assume that key_acquire() had been called
276 * to get/establish the SA. Here I discard
277 * this packet because it is responsibility for
278 * upper layer to retransmit the packet.
280 newipsecstat.ips_out_nosa++;
284 if (sav == NULL) { /* XXX valid return */
285 KASSERT(ipsec_get_reqlevel(isr) == IPSEC_LEVEL_USE,
286 ("ipsec_nextisr: no SA found, but required; level %u",
287 ipsec_get_reqlevel(isr)));
291 *error = EINVAL; /*XXX*/
298 * Check system global policy controls.
300 if ((isr->saidx.proto == IPPROTO_ESP && !esp_enable) ||
301 (isr->saidx.proto == IPPROTO_AH && !ah_enable) ||
302 (isr->saidx.proto == IPPROTO_IPCOMP && !ipcomp_enable)) {
303 DPRINTF(("ipsec_nextisr: IPsec outbound packet dropped due"
304 " to policy (check your sysctls)\n"));
305 IPSEC_OSTAT(espstat.esps_pdrops, ahstat.ahs_pdrops,
306 ipcompstat.ipcomps_pdrops);
307 *error = EHOSTUNREACH;
312 * Sanity check the SA contents for the caller
313 * before they invoke the xform output method.
315 if (sav->tdb_xform == NULL) {
316 DPRINTF(("ipsec_nextisr: no transform for SA\n"));
317 IPSEC_OSTAT(espstat.esps_noxform, ahstat.ahs_noxform,
318 ipcompstat.ipcomps_noxform);
319 *error = EHOSTUNREACH;
324 KASSERT(*error != 0, ("ipsec_nextisr: error return w/ no error code"));
331 * IPsec output logic for IPv4.
334 ipsec4_process_packet(
336 struct ipsecrequest *isr,
340 struct secasindex saidx;
341 struct secasvar *sav;
345 KASSERT(m != NULL, ("ipsec4_process_packet: null mbuf"));
346 KASSERT(isr != NULL, ("ipsec4_process_packet: null isr"));
350 isr = ipsec_nextisr(m, isr, AF_INET, &saidx, &error);
356 union sockaddr_union *dst = &sav->sah->saidx.dst;
360 * Collect IP_DF state from the outer header.
362 if (dst->sa.sa_family == AF_INET) {
363 if (m->m_len < sizeof (struct ip) &&
364 (m = m_pullup(m, sizeof (struct ip))) == NULL) {
368 ip = mtod(m, struct ip *);
369 /* Honor system-wide control of how to handle IP_DF */
370 switch (ip4_ipsec_dfbit) {
371 case 0: /* clear in outer header */
372 case 1: /* set in outer header */
373 setdf = ip4_ipsec_dfbit;
375 default: /* propagate to outer header */
376 setdf = ntohs(ip->ip_off & IP_DF);
380 ip = NULL; /* keep compiler happy */
383 /* Do the appropriate encapsulation, if necessary */
384 if (isr->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */
385 dst->sa.sa_family != AF_INET || /* PF mismatch */
387 (sav->flags & SADB_X_SAFLAGS_TUNNEL) || /* Tunnel requ'd */
388 sav->tdb_xform->xf_type == XF_IP4 || /* ditto */
390 (dst->sa.sa_family == AF_INET && /* Proxy */
391 dst->sin.sin_addr.s_addr != INADDR_ANY &&
392 dst->sin.sin_addr.s_addr != ip->ip_dst.s_addr)) {
395 /* Fix IPv4 header checksum and length */
396 if (m->m_len < sizeof (struct ip) &&
397 (m = m_pullup(m, sizeof (struct ip))) == NULL) {
401 ip = mtod(m, struct ip *);
402 ip->ip_len = htons(m->m_pkthdr.len);
405 if (ip->ip_vhl == IP_VHL_BORING)
406 ip->ip_sum = in_cksum_hdr(ip);
408 ip->ip_sum = in_cksum(m,
409 _IP_VHL_HL(ip->ip_vhl) << 2);
411 ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
414 /* Encapsulate the packet */
415 error = ipip_output(m, isr, &mp, 0, 0);
416 if (mp == NULL && !error) {
417 /* Should never happen. */
418 DPRINTF(("ipsec4_process_packet: ipip_output "
419 "returns no mbuf and no error!"));
429 * ipip_output clears IP_DF in the new header. If
430 * we need to propagate IP_DF from the outer header,
431 * then we have to do it here.
433 * XXX shouldn't assume what ipip_output does.
435 if (dst->sa.sa_family == AF_INET && setdf) {
436 if (m->m_len < sizeof (struct ip) &&
437 (m = m_pullup(m, sizeof (struct ip))) == NULL) {
441 ip = mtod(m, struct ip *);
442 ip->ip_off = ntohs(ip->ip_off);
444 ip->ip_off = htons(ip->ip_off);
450 * Dispatch to the appropriate IPsec transform logic. The
451 * packet will be returned for transmission after crypto
452 * processing, etc. are completed. For encapsulation we
453 * bypass this call because of the explicit call done above
454 * (necessary to deal with IP_DF handling for IPv4).
456 * NB: m & sav are ``passed to caller'' who's reponsible for
457 * for reclaiming their resources.
459 if (sav->tdb_xform->xf_type != XF_IP4) {
460 ip = mtod(m, struct ip *);
462 off = offsetof(struct ip, ip_p);
463 error = (*sav->tdb_xform->xf_output)(m, isr, NULL, i, off);
465 error = ipsec_process_done(m, isr);
479 * Chop IP6 header from the payload.
482 ipsec6_splithdr(struct mbuf *m)
488 KASSERT(m->m_len >= sizeof (struct ip6_hdr),
489 ("ipsec6_splithdr: first mbuf too short, len %u", m->m_len));
490 ip6 = mtod(m, struct ip6_hdr *);
491 hlen = sizeof(struct ip6_hdr);
492 if (m->m_len > hlen) {
493 MGETHDR(mh, MB_DONTWAIT, MT_HEADER);
498 M_MOVE_PKTHDR(mh, m);
505 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
506 } else if (m->m_len < hlen) {
507 m = m_pullup(m, hlen);
515 * IPsec output logic for IPv6, transport mode.
519 struct ipsec_output_state *state,
522 struct secpolicy *sp,
526 struct ipsecrequest *isr;
527 struct secasindex saidx;
531 KASSERT(state != NULL, ("ipsec6_output: null state"));
532 KASSERT(state->m != NULL, ("ipsec6_output: null m"));
533 KASSERT(nexthdrp != NULL, ("ipsec6_output: null nexthdrp"));
534 KASSERT(mprev != NULL, ("ipsec6_output: null mprev"));
535 KASSERT(sp != NULL, ("ipsec6_output: null sp"));
536 KASSERT(tun != NULL, ("ipsec6_output: null tun"));
538 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
539 printf("ipsec6_output_trans: applyed SP\n");
540 kdebug_secpolicy(sp));
543 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
544 /* the rest will be handled by ipsec6_output_tunnel() */
545 *tun = 1; /* need tunnel-mode processing */
552 isr = ipsec_nextisr(m, isr, AF_INET6, &saidx, &error);
555 /* XXX should notification be done for all errors ? */
557 * Notify the fact that the packet is discarded
558 * to ourselves. I believe this is better than
559 * just silently discarding. (jinmei@kame.net)
560 * XXX: should we restrict the error to TCP packets?
561 * XXX: should we directly notify sockets via
564 icmp6_error(m, ICMP6_DST_UNREACH,
565 ICMP6_DST_UNREACH_ADMIN, 0);
566 m = NULL; /* NB: icmp6_error frees mbuf */
571 return (*isr->sav->tdb_xform->xf_output)(m, isr, NULL,
572 sizeof (struct ip6_hdr),
573 offsetof(struct ip6_hdr, ip6_nxt));
582 ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav)
584 struct ip6_hdr *oip6;
588 /* can't tunnel between different AFs */
589 if (sav->sah->saidx.src.sa.sa_family != AF_INET6 ||
590 sav->sah->saidx.dst.sa.sa_family != AF_INET6) {
594 KASSERT(m->m_len != sizeof (struct ip6_hdr),
595 ("ipsec6_encapsulate: mbuf wrong size; len %u", m->m_len));
599 * grow the mbuf to accomodate the new IPv6 header.
601 plen = m->m_pkthdr.len;
602 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
604 MGET(n, MB_DONTWAIT, MT_DATA);
609 n->m_len = sizeof(struct ip6_hdr);
610 n->m_next = m->m_next;
612 m->m_pkthdr.len += sizeof(struct ip6_hdr);
613 oip6 = mtod(n, struct ip6_hdr *);
615 m->m_next->m_len += sizeof(struct ip6_hdr);
616 m->m_next->m_data -= sizeof(struct ip6_hdr);
617 m->m_pkthdr.len += sizeof(struct ip6_hdr);
618 oip6 = mtod(m->m_next, struct ip6_hdr *);
620 ip6 = mtod(m, struct ip6_hdr *);
621 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
623 /* Fake link-local scope-class addresses */
624 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_src))
625 oip6->ip6_src.s6_addr16[1] = 0;
626 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_dst))
627 oip6->ip6_dst.s6_addr16[1] = 0;
629 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
630 /* ECN consideration. */
631 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
632 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
633 ip6->ip6_plen = htons(plen);
635 /* ip6->ip6_plen will be updated in ip6_output() */
637 ip6->ip6_nxt = IPPROTO_IPV6;
638 sav->sah->saidx.src.sin6.sin6_addr = ip6->ip6_src;
639 sav->sah->saidx.dst.sin6.sin6_addr = ip6->ip6_dst;
640 ip6->ip6_hlim = IPV6_DEFHLIM;
642 /* XXX Should ip6_src be updated later ? */
648 * IPsec output logic for IPv6, tunnel mode.
651 ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int flags)
654 struct ipsecrequest *isr;
655 struct secasindex saidx;
657 struct sockaddr_in6* dst6;
660 KASSERT(state != NULL, ("ipsec6_output: null state"));
661 KASSERT(state->m != NULL, ("ipsec6_output: null m"));
662 KASSERT(sp != NULL, ("ipsec6_output: null sp"));
664 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
665 printf("ipsec6_output_tunnel: applyed SP\n");
666 kdebug_secpolicy(sp));
670 * transport mode ipsec (before the 1st tunnel mode) is already
671 * processed by ipsec6_output_trans().
673 for (isr = sp->req; isr; isr = isr->next) {
674 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
677 isr = ipsec_nextisr(m, isr, AF_INET6, &saidx, &error);
682 * There may be the case that SA status will be changed when
683 * we are refering to one. So calling splsoftnet().
685 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
687 * build IPsec tunnel.
689 /* XXX should be processed with other familiy */
690 if (isr->sav->sah->saidx.src.sa.sa_family != AF_INET6) {
691 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
692 "family mismatched between inner and outer, spi=%u\n",
693 ntohl(isr->sav->spi)));
694 newipsecstat.ips_out_inval++;
695 error = EAFNOSUPPORT;
699 m = ipsec6_splithdr(m);
701 newipsecstat.ips_out_nomem++;
705 error = ipsec6_encapsulate(m, isr->sav);
710 ip6 = mtod(m, struct ip6_hdr *);
712 state->ro = &isr->sav->sah->sa_route;
713 state->dst = (struct sockaddr *)&state->ro->ro_dst;
714 dst6 = (struct sockaddr_in6 *)state->dst;
716 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
717 || !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst))) {
718 RTFREE(state->ro->ro_rt);
719 state->ro->ro_rt = NULL;
721 if (state->ro->ro_rt == 0) {
722 bzero(dst6, sizeof(*dst6));
723 dst6->sin6_family = AF_INET6;
724 dst6->sin6_len = sizeof(*dst6);
725 dst6->sin6_addr = ip6->ip6_dst;
728 if (state->ro->ro_rt == 0) {
729 ip6stat.ip6s_noroute++;
730 newipsecstat.ips_out_noroute++;
731 error = EHOSTUNREACH;
735 /* adjust state->dst if tunnel endpoint is offlink */
736 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
737 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
738 dst6 = (struct sockaddr_in6 *)state->dst;
742 m = ipsec6_splithdr(m);
744 newipsecstat.ips_out_nomem++;
748 ip6 = mtod(m, struct ip6_hdr *);
749 return (*isr->sav->tdb_xform->xf_output)(m, isr, NULL,
750 sizeof (struct ip6_hdr),
751 offsetof(struct ip6_hdr, ip6_nxt));