1 /* $NetBSD: ipsec_output.c,v 1.75 2018/05/01 05:42:26 maxv Exp $ */ 2 3 /* 4 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26 * SUCH DAMAGE. 27 * 28 * $FreeBSD: sys/netipsec/ipsec_output.c,v 1.3.2.2 2003/03/28 20:32:53 sam Exp $ 29 */ 30 31 #include <sys/cdefs.h> 32 __KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.75 2018/05/01 05:42:26 maxv Exp $"); 33 34 #if defined(_KERNEL_OPT) 35 #include "opt_inet.h" 36 #include "opt_net_mpsafe.h" 37 #endif 38 39 #include <sys/param.h> 40 #include <sys/systm.h> 41 #include <sys/mbuf.h> 42 #include <sys/domain.h> 43 #include <sys/protosw.h> 44 #include <sys/socket.h> 45 #include <sys/errno.h> 46 #include <sys/syslog.h> 47 48 #include <net/if.h> 49 #include <net/route.h> 50 51 #include <netinet/in.h> 52 #include <netinet/in_systm.h> 53 #include <netinet/ip.h> 54 #include <netinet/ip_var.h> 55 #include <netinet/in_var.h> 56 #include <netinet/ip_ecn.h> 57 58 #include <netinet/ip6.h> 59 #ifdef INET6 60 #include <netinet6/ip6_var.h> 61 #endif 62 #include <netinet/in_pcb.h> 63 #ifdef INET6 64 #include <netinet/icmp6.h> 65 #endif 66 #include <netinet/udp.h> 67 68 #include <netipsec/ipsec.h> 69 #include <netipsec/ipsec_var.h> 70 #include <netipsec/ipsec_private.h> 71 #ifdef INET6 72 #include <netipsec/ipsec6.h> 73 #endif 74 #include <netipsec/ah_var.h> 75 #include <netipsec/esp_var.h> 76 #include <netipsec/ipcomp_var.h> 77 78 #include <netipsec/xform.h> 79 80 #include <netipsec/key.h> 81 #include <netipsec/keydb.h> 82 #include <netipsec/key_debug.h> 83 84 static percpu_t *ipsec_rtcache_percpu __cacheline_aligned; 85 86 /* 87 * Add a IPSEC_OUT_DONE tag to mark that we have finished the ipsec processing 88 * It will be used by ip{,6}_output to check if we have already or not 89 * processed this packet. 90 */ 91 static int 92 ipsec_register_done(struct mbuf *m, int *error) 93 { 94 struct m_tag *mtag; 95 96 mtag = m_tag_get(PACKET_TAG_IPSEC_OUT_DONE, 0, M_NOWAIT); 97 if (mtag == NULL) { 98 IPSECLOG(LOG_DEBUG, "could not get packet tag\n"); 99 *error = ENOMEM; 100 return -1; 101 } 102 103 m_tag_prepend(m, mtag); 104 return 0; 105 } 106 107 static int 108 ipsec_reinject_ipstack(struct mbuf *m, int af) 109 { 110 int rv = -1; 111 struct route *ro; 112 113 KASSERT(af == AF_INET || af == AF_INET6); 114 115 KERNEL_LOCK_UNLESS_NET_MPSAFE(); 116 ro = percpu_getref(ipsec_rtcache_percpu); 117 switch (af) { 118 #ifdef INET 119 case AF_INET: 120 rv = ip_output(m, NULL, ro, IP_RAWOUTPUT|IP_NOIPNEWID, 121 NULL, NULL); 122 break; 123 #endif 124 #ifdef INET6 125 case AF_INET6: 126 /* 127 * We don't need massage, IPv6 header fields are always in 128 * net endian. 129 */ 130 rv = ip6_output(m, NULL, ro, 0, NULL, NULL, NULL); 131 break; 132 #endif 133 } 134 percpu_putref(ipsec_rtcache_percpu); 135 KERNEL_UNLOCK_UNLESS_NET_MPSAFE(); 136 137 return rv; 138 } 139 140 int 141 ipsec_process_done(struct mbuf *m, const struct ipsecrequest *isr, 142 struct secasvar *sav) 143 { 144 struct secasindex *saidx; 145 int error; 146 #ifdef INET 147 struct ip *ip; 148 #endif 149 #ifdef INET6 150 struct ip6_hdr *ip6; 151 #endif 152 struct mbuf *mo; 153 struct udphdr *udp = NULL; 154 uint64_t *data = NULL; 155 int hlen, roff; 156 157 KASSERT(m != NULL); 158 KASSERT(isr != NULL); 159 KASSERT(sav != NULL); 160 161 saidx = &sav->sah->saidx; 162 163 if (sav->natt_type != 0) { 164 ip = mtod(m, struct ip *); 165 166 hlen = sizeof(struct udphdr); 167 if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE) 168 hlen += sizeof(uint64_t); 169 170 mo = m_makespace(m, sizeof(struct ip), hlen, &roff); 171 if (mo == NULL) { 172 char buf[IPSEC_ADDRSTRLEN]; 173 IPSECLOG(LOG_DEBUG, 174 "failed to inject %u byte UDP for SA %s/%08lx\n", 175 hlen, ipsec_address(&saidx->dst, buf, sizeof(buf)), 176 (u_long)ntohl(sav->spi)); 177 error = ENOBUFS; 178 goto bad; 179 } 180 181 udp = (struct udphdr *)(mtod(mo, char *) + roff); 182 data = (uint64_t *)(udp + 1); 183 184 if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE) 185 *data = 0; /* NON-IKE Marker */ 186 187 if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE) 188 udp->uh_sport = htons(UDP_ENCAP_ESPINUDP_PORT); 189 else 190 udp->uh_sport = key_portfromsaddr(&saidx->src); 191 192 udp->uh_dport = key_portfromsaddr(&saidx->dst); 193 udp->uh_sum = 0; 194 udp->uh_ulen = htons(m->m_pkthdr.len - (ip->ip_hl << 2)); 195 } 196 197 /* 198 * Fix the header length, for AH processing. 199 */ 200 switch (saidx->dst.sa.sa_family) { 201 #ifdef INET 202 case AF_INET: 203 ip = mtod(m, struct ip *); 204 ip->ip_len = htons(m->m_pkthdr.len); 205 if (sav->natt_type != 0) 206 ip->ip_p = IPPROTO_UDP; 207 break; 208 #endif 209 #ifdef INET6 210 case AF_INET6: 211 if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) { 212 error = ENXIO; 213 goto bad; 214 } 215 if (m->m_pkthdr.len - sizeof(struct ip6_hdr) > IPV6_MAXPACKET) { 216 /* No jumbogram support. */ 217 error = ENXIO; /*?*/ 218 goto bad; 219 } 220 ip6 = mtod(m, struct ip6_hdr *); 221 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr)); 222 if (sav->natt_type != 0) 223 ip6->ip6_nxt = IPPROTO_UDP; 224 break; 225 #endif 226 default: 227 IPSECLOG(LOG_DEBUG, "unknown protocol family %u\n", 228 saidx->dst.sa.sa_family); 229 error = ENXIO; 230 goto bad; 231 } 232 233 key_sa_recordxfer(sav, m); 234 235 /* 236 * If there's another (bundled) SA to apply, do so. 237 * Note that this puts a burden on the kernel stack size. 238 * If this is a problem we'll need to introduce a queue 239 * to set the packet on so we can unwind the stack before 240 * doing further processing. 241 */ 242 if (isr->next) { 243 IPSEC_STATINC(IPSEC_STAT_OUT_BUNDLESA); 244 switch (saidx->dst.sa.sa_family) { 245 #ifdef INET 246 case AF_INET: 247 return ipsec4_process_packet(m, isr->next, NULL); 248 #endif 249 #ifdef INET6 250 case AF_INET6: 251 return ipsec6_process_packet(m, isr->next); 252 #endif 253 default: 254 IPSECLOG(LOG_DEBUG, "unknown protocol family %u\n", 255 saidx->dst.sa.sa_family); 256 error = ENXIO; 257 goto bad; 258 } 259 } 260 261 /* 262 * We're done with IPsec processing, mark the packet as processed, 263 * and transmit it using the appropriate network protocol 264 * (IPv4/IPv6). 265 */ 266 267 if (ipsec_register_done(m, &error) < 0) 268 goto bad; 269 270 return ipsec_reinject_ipstack(m, saidx->dst.sa.sa_family); 271 272 bad: 273 m_freem(m); 274 return error; 275 } 276 277 static void 278 ipsec_fill_saidx_bymbuf(struct secasindex *saidx, const struct mbuf *m, 279 const int af) 280 { 281 282 if (af == AF_INET) { 283 struct sockaddr_in *sin; 284 struct ip *ip = mtod(m, struct ip *); 285 286 if (saidx->src.sa.sa_len == 0) { 287 sin = &saidx->src.sin; 288 sin->sin_len = sizeof(*sin); 289 sin->sin_family = AF_INET; 290 sin->sin_port = IPSEC_PORT_ANY; 291 sin->sin_addr = ip->ip_src; 292 } 293 if (saidx->dst.sa.sa_len == 0) { 294 sin = &saidx->dst.sin; 295 sin->sin_len = sizeof(*sin); 296 sin->sin_family = AF_INET; 297 sin->sin_port = IPSEC_PORT_ANY; 298 sin->sin_addr = ip->ip_dst; 299 } 300 } else { 301 struct sockaddr_in6 *sin6; 302 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 303 304 if (saidx->src.sin6.sin6_len == 0) { 305 sin6 = (struct sockaddr_in6 *)&saidx->src; 306 sin6->sin6_len = sizeof(*sin6); 307 sin6->sin6_family = AF_INET6; 308 sin6->sin6_port = IPSEC_PORT_ANY; 309 sin6->sin6_addr = ip6->ip6_src; 310 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { 311 /* fix scope id for comparing SPD */ 312 sin6->sin6_addr.s6_addr16[1] = 0; 313 sin6->sin6_scope_id = 314 ntohs(ip6->ip6_src.s6_addr16[1]); 315 } 316 } 317 if (saidx->dst.sin6.sin6_len == 0) { 318 sin6 = (struct sockaddr_in6 *)&saidx->dst; 319 sin6->sin6_len = sizeof(*sin6); 320 sin6->sin6_family = AF_INET6; 321 sin6->sin6_port = IPSEC_PORT_ANY; 322 sin6->sin6_addr = ip6->ip6_dst; 323 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { 324 /* fix scope id for comparing SPD */ 325 sin6->sin6_addr.s6_addr16[1] = 0; 326 sin6->sin6_scope_id = 327 ntohs(ip6->ip6_dst.s6_addr16[1]); 328 } 329 } 330 } 331 } 332 333 struct secasvar * 334 ipsec_lookup_sa(const struct ipsecrequest *isr, const struct mbuf *m) 335 { 336 struct secasindex saidx; 337 338 saidx = isr->saidx; 339 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT) { 340 /* Fillin unspecified SA peers only for transport mode */ 341 ipsec_fill_saidx_bymbuf(&saidx, m, isr->saidx.dst.sa.sa_family); 342 } 343 344 return key_lookup_sa_bysaidx(&saidx); 345 } 346 347 /* 348 * ipsec_nextisr can return : 349 * - isr == NULL and error != 0 => something is bad : the packet must be 350 * discarded 351 * - isr == NULL and error == 0 => no more rules to apply, ipsec processing 352 * is done, reinject it in ip stack 353 * - isr != NULL (error == 0) => we need to apply one rule to the packet 354 */ 355 static const struct ipsecrequest * 356 ipsec_nextisr(struct mbuf *m, const struct ipsecrequest *isr, int af, 357 int *error, struct secasvar **ret) 358 { 359 #define IPSEC_OSTAT(type) \ 360 do { \ 361 switch (isr->saidx.proto) { \ 362 case IPPROTO_ESP: \ 363 ESP_STATINC(ESP_STAT_ ## type); \ 364 break; \ 365 case IPPROTO_AH: \ 366 AH_STATINC(AH_STAT_ ## type); \ 367 break; \ 368 default: \ 369 IPCOMP_STATINC(IPCOMP_STAT_ ## type); \ 370 break; \ 371 } \ 372 } while (/*CONSTCOND*/0) 373 374 struct secasvar *sav = NULL; 375 struct secasindex saidx; 376 377 KASSERTMSG(af == AF_INET || af == AF_INET6, 378 "invalid address family %u", af); 379 again: 380 /* 381 * Craft SA index to search for proper SA. Note that 382 * we only fillin unspecified SA peers for transport 383 * mode; for tunnel mode they must already be filled in. 384 */ 385 saidx = isr->saidx; 386 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT) { 387 /* Fillin unspecified SA peers only for transport mode */ 388 ipsec_fill_saidx_bymbuf(&saidx, m, af); 389 } 390 391 /* 392 * Lookup SA and validate it. 393 */ 394 *error = key_checkrequest(isr, &saidx, &sav); 395 if (*error != 0) { 396 /* 397 * IPsec processing is required, but no SA found. 398 * I assume that key_acquire() had been called 399 * to get/establish the SA. Here I discard 400 * this packet because it is responsibility for 401 * upper layer to retransmit the packet. 402 */ 403 IPSEC_STATINC(IPSEC_STAT_OUT_NOSA); 404 goto bad; 405 } 406 /* sav may be NULL here if we have an USE rule */ 407 if (sav == NULL) { 408 KASSERTMSG(ipsec_get_reqlevel(isr) == IPSEC_LEVEL_USE, 409 "no SA found, but required; level %u", 410 ipsec_get_reqlevel(isr)); 411 isr = isr->next; 412 /* 413 * No more rules to apply, return NULL isr and no error. 414 * It can happen when the last rules are USE rules. 415 */ 416 if (isr == NULL) { 417 *ret = NULL; 418 *error = 0; 419 return isr; 420 } 421 goto again; 422 } 423 424 /* 425 * Check system global policy controls. 426 */ 427 if ((isr->saidx.proto == IPPROTO_ESP && !esp_enable) || 428 (isr->saidx.proto == IPPROTO_AH && !ah_enable) || 429 (isr->saidx.proto == IPPROTO_IPCOMP && !ipcomp_enable)) { 430 IPSECLOG(LOG_DEBUG, "IPsec outbound packet dropped due" 431 " to policy (check your sysctls)\n"); 432 IPSEC_OSTAT(PDROPS); 433 *error = EHOSTUNREACH; 434 KEY_SA_UNREF(&sav); 435 goto bad; 436 } 437 438 /* 439 * Sanity check the SA contents for the caller 440 * before they invoke the xform output method. 441 */ 442 KASSERT(sav->tdb_xform != NULL); 443 *ret = sav; 444 return isr; 445 446 bad: 447 KASSERTMSG(*error != 0, "error return w/ no error code"); 448 return NULL; 449 #undef IPSEC_OSTAT 450 } 451 452 #ifdef INET 453 /* 454 * IPsec output logic for IPv4. 455 */ 456 int 457 ipsec4_process_packet(struct mbuf *m, const struct ipsecrequest *isr, 458 u_long *mtu) 459 { 460 struct secasvar *sav = NULL; 461 struct ip *ip; 462 int s, error, i, off; 463 union sockaddr_union *dst; 464 int setdf; 465 466 KASSERT(m != NULL); 467 KASSERT(m->m_nextpkt == NULL); 468 KASSERT(isr != NULL); 469 470 s = splsoftnet(); /* insure SA contents don't change */ 471 472 isr = ipsec_nextisr(m, isr, AF_INET, &error, &sav); 473 if (isr == NULL) { 474 if (error != 0) { 475 goto bad; 476 } else { 477 if (ipsec_register_done(m, &error) < 0) 478 goto bad; 479 480 splx(s); 481 return ipsec_reinject_ipstack(m, AF_INET); 482 } 483 } 484 KASSERT(sav != NULL); 485 486 if (m->m_len < sizeof(struct ip) && 487 (m = m_pullup(m, sizeof(struct ip))) == NULL) { 488 error = ENOBUFS; 489 goto unrefsav; 490 } 491 492 /* 493 * Check if we need to handle NAT-T fragmentation. 494 */ 495 if (isr == isr->sp->req) { /* Check only if called from ipsec4_output */ 496 KASSERT(mtu != NULL); 497 ip = mtod(m, struct ip *); 498 if (!(sav->natt_type & 499 (UDP_ENCAP_ESPINUDP|UDP_ENCAP_ESPINUDP_NON_IKE))) { 500 goto noneed; 501 } 502 if (ntohs(ip->ip_len) <= sav->esp_frag) 503 goto noneed; 504 *mtu = sav->esp_frag; 505 KEY_SA_UNREF(&sav); 506 splx(s); 507 return 0; 508 } 509 noneed: 510 dst = &sav->sah->saidx.dst; 511 512 /* 513 * Collect IP_DF state from the outer header. 514 */ 515 if (dst->sa.sa_family == AF_INET) { 516 ip = mtod(m, struct ip *); 517 /* Honor system-wide control of how to handle IP_DF */ 518 switch (ip4_ipsec_dfbit) { 519 case 0: /* clear in outer header */ 520 case 1: /* set in outer header */ 521 setdf = ip4_ipsec_dfbit; 522 break; 523 default: /* propagate to outer header */ 524 setdf = ip->ip_off; 525 setdf = ntohs(setdf); 526 setdf = htons(setdf & IP_DF); 527 break; 528 } 529 } else { 530 ip = NULL; /* keep compiler happy */ 531 setdf = 0; 532 } 533 534 /* Do the appropriate encapsulation, if necessary */ 535 if (isr->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */ 536 dst->sa.sa_family != AF_INET || /* PF mismatch */ 537 #if 0 538 (sav->flags & SADB_X_SAFLAGS_TUNNEL) || /* Tunnel requ'd */ 539 sav->tdb_xform->xf_type == XF_IP4 || /* ditto */ 540 #endif 541 (dst->sa.sa_family == AF_INET && /* Proxy */ 542 dst->sin.sin_addr.s_addr != INADDR_ANY && 543 dst->sin.sin_addr.s_addr != ip->ip_dst.s_addr)) { 544 struct mbuf *mp; 545 546 /* Fix IPv4 header checksum and length */ 547 ip = mtod(m, struct ip *); 548 ip->ip_len = htons(m->m_pkthdr.len); 549 ip->ip_sum = 0; 550 ip->ip_sum = in_cksum(m, ip->ip_hl << 2); 551 552 /* Encapsulate the packet */ 553 error = ipip_output(m, isr, sav, &mp, 0, 0); 554 if (mp == NULL && !error) { 555 /* Should never happen. */ 556 IPSECLOG(LOG_DEBUG, 557 "ipip_output returns no mbuf and no error!"); 558 error = EFAULT; 559 } 560 if (error) { 561 if (mp) { 562 /* XXX: Should never happen! */ 563 m_freem(mp); 564 } 565 m = NULL; /* ipip_output() already freed it */ 566 goto unrefsav; 567 } 568 m = mp, mp = NULL; 569 570 /* 571 * ipip_output clears IP_DF in the new header. If 572 * we need to propagate IP_DF from the outer header, 573 * then we have to do it here. 574 * 575 * XXX shouldn't assume what ipip_output does. 576 */ 577 if (dst->sa.sa_family == AF_INET && setdf) { 578 if (m->m_len < sizeof(struct ip) && 579 (m = m_pullup(m, sizeof(struct ip))) == NULL) { 580 error = ENOBUFS; 581 goto unrefsav; 582 } 583 ip = mtod(m, struct ip *); 584 ip->ip_off |= htons(IP_DF); 585 } 586 } 587 588 /* 589 * Dispatch to the appropriate IPsec transform logic. The 590 * packet will be returned for transmission after crypto 591 * processing, etc. are completed. For encapsulation we 592 * bypass this call because of the explicit call done above 593 * (necessary to deal with IP_DF handling for IPv4). 594 * 595 * NB: m & sav are ``passed to caller'' who's reponsible for 596 * for reclaiming their resources. 597 */ 598 if (sav->tdb_xform->xf_type != XF_IP4) { 599 if (dst->sa.sa_family == AF_INET) { 600 ip = mtod(m, struct ip *); 601 i = ip->ip_hl << 2; 602 off = offsetof(struct ip, ip_p); 603 } else { 604 i = sizeof(struct ip6_hdr); 605 off = offsetof(struct ip6_hdr, ip6_nxt); 606 } 607 error = (*sav->tdb_xform->xf_output)(m, isr, sav, NULL, i, off); 608 } else { 609 error = ipsec_process_done(m, isr, sav); 610 } 611 KEY_SA_UNREF(&sav); 612 splx(s); 613 return error; 614 615 unrefsav: 616 KEY_SA_UNREF(&sav); 617 bad: 618 splx(s); 619 if (m) 620 m_freem(m); 621 return error; 622 } 623 #endif 624 625 #ifdef INET6 626 static int 627 compute_ipsec_pos(struct mbuf *m, int *i, int *off) 628 { 629 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); 630 struct ip6_ext ip6e; 631 int dstopt = 0; 632 int nxt; 633 634 *i = sizeof(struct ip6_hdr); 635 *off = offsetof(struct ip6_hdr, ip6_nxt); 636 nxt = ip6->ip6_nxt; 637 638 /* 639 * chase mbuf chain to find the appropriate place to 640 * put AH/ESP/IPcomp header. 641 * IPv6 hbh dest1 rthdr ah* [esp* dest2 payload] 642 */ 643 while (1) { 644 if (*i + sizeof(ip6e) > m->m_pkthdr.len) { 645 return EINVAL; 646 } 647 648 switch (nxt) { 649 case IPPROTO_AH: 650 case IPPROTO_ESP: 651 case IPPROTO_IPCOMP: 652 /* 653 * we should not skip security header added 654 * beforehand. 655 */ 656 return 0; 657 658 case IPPROTO_HOPOPTS: 659 case IPPROTO_DSTOPTS: 660 case IPPROTO_ROUTING: 661 /* 662 * if we see 2nd destination option header, 663 * we should stop there. 664 */ 665 if (nxt == IPPROTO_DSTOPTS && dstopt) 666 return 0; 667 668 if (nxt == IPPROTO_DSTOPTS) { 669 /* 670 * seen 1st or 2nd destination option. 671 * next time we see one, it must be 2nd. 672 */ 673 dstopt = 1; 674 } else if (nxt == IPPROTO_ROUTING) { 675 /* 676 * if we see destination option next 677 * time, it must be dest2. 678 */ 679 dstopt = 2; 680 } 681 682 /* skip this header */ 683 m_copydata(m, *i, sizeof(ip6e), &ip6e); 684 nxt = ip6e.ip6e_nxt; 685 *off = *i + offsetof(struct ip6_ext, ip6e_nxt); 686 *i += (ip6e.ip6e_len + 1) << 3; 687 break; 688 default: 689 return 0; 690 } 691 } 692 693 return 0; 694 } 695 696 static int 697 in6_sa_equal_addrwithscope(const struct sockaddr_in6 *sa, 698 const struct in6_addr *ia) 699 { 700 struct in6_addr ia2; 701 702 memcpy(&ia2, &sa->sin6_addr, sizeof(ia2)); 703 if (IN6_IS_SCOPE_LINKLOCAL(&sa->sin6_addr)) 704 ia2.s6_addr16[1] = htons(sa->sin6_scope_id); 705 706 return IN6_ARE_ADDR_EQUAL(ia, &ia2); 707 } 708 709 int 710 ipsec6_process_packet(struct mbuf *m, const struct ipsecrequest *isr) 711 { 712 struct secasvar *sav = NULL; 713 struct ip6_hdr *ip6; 714 int s, error, i, off; 715 union sockaddr_union *dst; 716 717 KASSERT(m != NULL); 718 KASSERT(m->m_nextpkt == NULL); 719 KASSERT(isr != NULL); 720 721 s = splsoftnet(); /* insure SA contents don't change */ 722 723 isr = ipsec_nextisr(m, isr, AF_INET6, &error, &sav); 724 if (isr == NULL) { 725 if (error != 0) { 726 /* XXX Should we send a notification ? */ 727 goto bad; 728 } else { 729 if (ipsec_register_done(m, &error) < 0) 730 goto bad; 731 732 splx(s); 733 return ipsec_reinject_ipstack(m, AF_INET6); 734 } 735 } 736 737 KASSERT(sav != NULL); 738 dst = &sav->sah->saidx.dst; 739 740 if (m->m_len < sizeof(struct ip6_hdr)) { 741 if ((m = m_pullup(m,sizeof(struct ip6_hdr))) == NULL) { 742 error = ENOBUFS; 743 goto unrefsav; 744 } 745 } 746 ip6 = mtod(m, struct ip6_hdr *); 747 748 /* Do the appropriate encapsulation, if necessary */ 749 if (isr->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */ 750 dst->sa.sa_family != AF_INET6 || /* AF mismatch */ 751 ((dst->sa.sa_family == AF_INET6) && 752 (!IN6_IS_ADDR_UNSPECIFIED(&dst->sin6.sin6_addr)) && 753 (!in6_sa_equal_addrwithscope(&dst->sin6, &ip6->ip6_dst)))) { 754 struct mbuf *mp; 755 756 if (m->m_pkthdr.len - sizeof(*ip6) > IPV6_MAXPACKET) { 757 /* No jumbogram support. */ 758 error = ENXIO; /*XXX*/ 759 goto unrefsav; 760 } 761 762 /* Fix IPv6 header payload length. */ 763 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6)); 764 765 /* Encapsulate the packet */ 766 error = ipip_output(m, isr, sav, &mp, 0, 0); 767 if (mp == NULL && !error) { 768 /* Should never happen. */ 769 IPSECLOG(LOG_DEBUG, 770 "ipip_output returns no mbuf and no error!"); 771 error = EFAULT; 772 } 773 774 if (error) { 775 if (mp) { 776 /* XXX: Should never happen! */ 777 m_freem(mp); 778 } 779 m = NULL; /* ipip_output() already freed it */ 780 goto unrefsav; 781 } 782 783 m = mp; 784 mp = NULL; 785 } 786 787 if (dst->sa.sa_family == AF_INET) { 788 struct ip *ip; 789 ip = mtod(m, struct ip *); 790 i = ip->ip_hl << 2; 791 off = offsetof(struct ip, ip_p); 792 } else { 793 error = compute_ipsec_pos(m, &i, &off); 794 if (error) 795 goto unrefsav; 796 } 797 error = (*sav->tdb_xform->xf_output)(m, isr, sav, NULL, i, off); 798 KEY_SA_UNREF(&sav); 799 splx(s); 800 return error; 801 802 unrefsav: 803 KEY_SA_UNREF(&sav); 804 bad: 805 splx(s); 806 if (m) 807 m_freem(m); 808 return error; 809 } 810 #endif /* INET6 */ 811 812 void 813 ipsec_output_init(void) 814 { 815 816 ipsec_rtcache_percpu = percpu_alloc(sizeof(struct route)); 817 } 818