xref: /freebsd/sys/netipsec/ipsec_output.c (revision 02e9120893770924227138ba49df1edb3896112a)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
5  * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org>
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27  * SUCH DAMAGE.
28  */
29 
30 /*
31  * IPsec output processing.
32  */
33 #include "opt_inet.h"
34 #include "opt_inet6.h"
35 #include "opt_ipsec.h"
36 #include "opt_sctp.h"
37 
38 #include <sys/param.h>
39 #include <sys/systm.h>
40 #include <sys/mbuf.h>
41 #include <sys/domain.h>
42 #include <sys/protosw.h>
43 #include <sys/socket.h>
44 #include <sys/errno.h>
45 #include <sys/hhook.h>
46 #include <sys/syslog.h>
47 
48 #include <net/if.h>
49 #include <net/if_enc.h>
50 #include <net/if_var.h>
51 #include <net/vnet.h>
52 
53 #include <netinet/in.h>
54 #include <netinet/in_pcb.h>
55 #include <netinet/in_systm.h>
56 #include <netinet/ip.h>
57 #include <netinet/ip_var.h>
58 #include <netinet/in_var.h>
59 #include <netinet/ip_ecn.h>
60 #ifdef INET6
61 #include <netinet6/ip6_ecn.h>
62 #endif
63 #include <netinet/ip_icmp.h>
64 #include <netinet/tcp_var.h>
65 
66 #include <netinet/ip6.h>
67 #ifdef INET6
68 #include <netinet6/ip6_var.h>
69 #include <netinet6/scope6_var.h>
70 #endif
71 #include <netinet/in_pcb.h>
72 #ifdef INET6
73 #include <netinet/icmp6.h>
74 #endif
75 #if defined(SCTP) || defined(SCTP_SUPPORT)
76 #include <netinet/sctp_crc32.h>
77 #endif
78 
79 #include <netinet/udp.h>
80 #include <netipsec/ah.h>
81 #include <netipsec/esp.h>
82 #include <netipsec/ipsec.h>
83 #ifdef INET6
84 #include <netipsec/ipsec6.h>
85 #endif
86 #include <netipsec/ipsec_support.h>
87 #include <netipsec/ah_var.h>
88 #include <netipsec/esp_var.h>
89 #include <netipsec/ipcomp_var.h>
90 
91 #include <netipsec/xform.h>
92 
93 #include <netipsec/key.h>
94 #include <netipsec/keydb.h>
95 #include <netipsec/key_debug.h>
96 
97 #include <machine/in_cksum.h>
98 
99 #define	IPSEC_OSTAT_INC(proto, name)	do {		\
100 	if ((proto) == IPPROTO_ESP)	\
101 		ESPSTAT_INC(esps_##name);	\
102 	else if ((proto) == IPPROTO_AH)\
103 		AHSTAT_INC(ahs_##name);		\
104 	else					\
105 		IPCOMPSTAT_INC(ipcomps_##name);	\
106 } while (0)
107 
108 static int ipsec_encap(struct mbuf **mp, struct secasindex *saidx);
109 static size_t ipsec_get_pmtu(struct secasvar *sav);
110 
111 #ifdef INET
112 static struct secasvar *
113 ipsec4_allocsa(struct mbuf *m, struct secpolicy *sp, u_int *pidx, int *error)
114 {
115 	struct secasindex *saidx, tmpsaidx;
116 	struct ipsecrequest *isr;
117 	struct sockaddr_in *sin;
118 	struct secasvar *sav;
119 	struct ip *ip;
120 
121 	/*
122 	 * Check system global policy controls.
123 	 */
124 next:
125 	isr = sp->req[*pidx];
126 	if ((isr->saidx.proto == IPPROTO_ESP && !V_esp_enable) ||
127 	    (isr->saidx.proto == IPPROTO_AH && !V_ah_enable) ||
128 	    (isr->saidx.proto == IPPROTO_IPCOMP && !V_ipcomp_enable)) {
129 		DPRINTF(("%s: IPsec outbound packet dropped due"
130 			" to policy (check your sysctls)\n", __func__));
131 		IPSEC_OSTAT_INC(isr->saidx.proto, pdrops);
132 		*error = EHOSTUNREACH;
133 		return (NULL);
134 	}
135 	/*
136 	 * Craft SA index to search for proper SA.  Note that
137 	 * we only initialize unspecified SA peers for transport
138 	 * mode; for tunnel mode they must already be filled in.
139 	 */
140 	if (isr->saidx.mode == IPSEC_MODE_TRANSPORT) {
141 		saidx = &tmpsaidx;
142 		*saidx = isr->saidx;
143 		ip = mtod(m, struct ip *);
144 		if (saidx->src.sa.sa_len == 0) {
145 			sin = &saidx->src.sin;
146 			sin->sin_len = sizeof(*sin);
147 			sin->sin_family = AF_INET;
148 			sin->sin_port = IPSEC_PORT_ANY;
149 			sin->sin_addr = ip->ip_src;
150 		}
151 		if (saidx->dst.sa.sa_len == 0) {
152 			sin = &saidx->dst.sin;
153 			sin->sin_len = sizeof(*sin);
154 			sin->sin_family = AF_INET;
155 			sin->sin_port = IPSEC_PORT_ANY;
156 			sin->sin_addr = ip->ip_dst;
157 		}
158 	} else
159 		saidx = &sp->req[*pidx]->saidx;
160 	/*
161 	 * Lookup SA and validate it.
162 	 */
163 	sav = key_allocsa_policy(sp, saidx, error);
164 	if (sav == NULL) {
165 		IPSECSTAT_INC(ips_out_nosa);
166 		if (*error != 0)
167 			return (NULL);
168 		if (ipsec_get_reqlevel(sp, *pidx) != IPSEC_LEVEL_REQUIRE) {
169 			/*
170 			 * We have no SA and policy that doesn't require
171 			 * this IPsec transform, thus we can continue w/o
172 			 * IPsec processing, i.e. return EJUSTRETURN.
173 			 * But first check if there is some bundled transform.
174 			 */
175 			if (sp->tcount > ++(*pidx))
176 				goto next;
177 			*error = EJUSTRETURN;
178 		}
179 		return (NULL);
180 	}
181 	IPSEC_ASSERT(sav->tdb_xform != NULL, ("SA with NULL tdb_xform"));
182 	return (sav);
183 }
184 
185 /*
186  * IPsec output logic for IPv4.
187  */
188 static int
189 ipsec4_perform_request(struct mbuf *m, struct secpolicy *sp,
190     struct inpcb *inp, u_int idx)
191 {
192 	struct ipsec_ctx_data ctx;
193 	union sockaddr_union *dst;
194 	struct secasvar *sav;
195 	struct ip *ip;
196 	int error, i, off;
197 
198 	IPSEC_ASSERT(idx < sp->tcount, ("Wrong IPsec request index %d", idx));
199 
200 	/*
201 	 * We hold the reference to SP. Content of SP couldn't be changed.
202 	 * Craft secasindex and do lookup for suitable SA.
203 	 * Then do encapsulation if needed and call xform's output.
204 	 * We need to store SP in the xform callback parameters.
205 	 * In xform callback we will extract SP and it can be used to
206 	 * determine next transform. At the end of transform we can
207 	 * release reference to SP.
208 	 */
209 	sav = ipsec4_allocsa(m, sp, &idx, &error);
210 	if (sav == NULL) {
211 		if (error == EJUSTRETURN) { /* No IPsec required */
212 			key_freesp(&sp);
213 			return (error);
214 		}
215 		goto bad;
216 	}
217 	/*
218 	 * XXXAE: most likely ip_sum at this point is wrong.
219 	 */
220 	IPSEC_INIT_CTX(&ctx, &m, inp, sav, AF_INET, IPSEC_ENC_BEFORE);
221 	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0)
222 		goto bad;
223 
224 	ip = mtod(m, struct ip *);
225 	dst = &sav->sah->saidx.dst;
226 	/* Do the appropriate encapsulation, if necessary */
227 	if (sp->req[idx]->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */
228 	    dst->sa.sa_family != AF_INET ||	    /* PF mismatch */
229 	    (dst->sa.sa_family == AF_INET &&	    /* Proxy */
230 	     dst->sin.sin_addr.s_addr != INADDR_ANY &&
231 	     dst->sin.sin_addr.s_addr != ip->ip_dst.s_addr)) {
232 		/* Fix IPv4 header checksum and length */
233 		ip->ip_len = htons(m->m_pkthdr.len);
234 		ip->ip_sum = 0;
235 		ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
236 		error = ipsec_encap(&m, &sav->sah->saidx);
237 		if (error != 0) {
238 			DPRINTF(("%s: encapsulation for SPI 0x%08x failed "
239 			    "with error %d\n", __func__, ntohl(sav->spi),
240 			    error));
241 			/* XXXAE: IPSEC_OSTAT_INC(tunnel); */
242 			goto bad;
243 		}
244 		inp = NULL;
245 	}
246 
247 	IPSEC_INIT_CTX(&ctx, &m, inp, sav, dst->sa.sa_family, IPSEC_ENC_AFTER);
248 	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0)
249 		goto bad;
250 
251 	/*
252 	 * Dispatch to the appropriate IPsec transform logic.  The
253 	 * packet will be returned for transmission after crypto
254 	 * processing, etc. are completed.
255 	 *
256 	 * NB: m & sav are ``passed to caller'' who's responsible for
257 	 *     reclaiming their resources.
258 	 */
259 	switch(dst->sa.sa_family) {
260 	case AF_INET:
261 		ip = mtod(m, struct ip *);
262 		i = ip->ip_hl << 2;
263 		off = offsetof(struct ip, ip_p);
264 		break;
265 #ifdef INET6
266 	case AF_INET6:
267 		i = sizeof(struct ip6_hdr);
268 		off = offsetof(struct ip6_hdr, ip6_nxt);
269 		break;
270 #endif /* INET6 */
271 	default:
272 		DPRINTF(("%s: unsupported protocol family %u\n",
273 		    __func__, dst->sa.sa_family));
274 		error = EPFNOSUPPORT;
275 		IPSEC_OSTAT_INC(sav->sah->saidx.proto, nopf);
276 		goto bad;
277 	}
278 	error = (*sav->tdb_xform->xf_output)(m, sp, sav, idx, i, off);
279 	return (error);
280 bad:
281 	IPSECSTAT_INC(ips_out_inval);
282 	if (m != NULL)
283 		m_freem(m);
284 	if (sav != NULL)
285 		key_freesav(&sav);
286 	key_freesp(&sp);
287 	return (error);
288 }
289 
290 int
291 ipsec4_process_packet(struct mbuf *m, struct secpolicy *sp,
292     struct inpcb *inp)
293 {
294 
295 	return (ipsec4_perform_request(m, sp, inp, 0));
296 }
297 
298 int
299 ipsec4_check_pmtu(struct mbuf *m, struct secpolicy *sp, int forwarding)
300 {
301 	struct secasvar *sav;
302 	struct ip *ip;
303 	size_t hlen, pmtu;
304 	uint32_t idx;
305 	int error;
306 
307 	/* Don't check PMTU if the frame won't have DF bit set. */
308 	if (!V_ip4_ipsec_dfbit)
309 		return (0);
310 	if (V_ip4_ipsec_dfbit == 1)
311 		goto setdf;
312 
313 	/* V_ip4_ipsec_dfbit > 1 - we will copy it from inner header. */
314 	ip = mtod(m, struct ip *);
315 	if (!(ip->ip_off & htons(IP_DF)))
316 		return (0);
317 
318 setdf:
319 	idx = sp->tcount - 1;
320 	sav = ipsec4_allocsa(m, sp, &idx, &error);
321 	if (sav == NULL) {
322 		key_freesp(&sp);
323 		/*
324 		 * No matching SA was found and SADB_ACQUIRE message was generated.
325 		 * Since we have matched a SP to this packet drop it silently.
326 		 */
327 		if (error == 0)
328 			error = EINPROGRESS;
329 		if (error != EJUSTRETURN)
330 			m_freem(m);
331 
332 		return (error);
333 	}
334 
335 	pmtu = ipsec_get_pmtu(sav);
336 	if (pmtu == 0) {
337 		key_freesav(&sav);
338 		return (0);
339 	}
340 
341 	hlen = ipsec_hdrsiz_internal(sp);
342 	key_freesav(&sav);
343 
344 	if (m_length(m, NULL) + hlen > pmtu) {
345 		/*
346 		 * If we're forwarding generate ICMP message here,
347 		 * so that it contains pmtu subtracted by header size.
348 		 * Set error to EINPROGRESS, in order for the frame
349 		 * to be dropped silently.
350 		 */
351 		if (forwarding) {
352 			if (pmtu > hlen)
353 				icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG,
354 				    0, pmtu - hlen);
355 			else
356 				m_freem(m);
357 
358 			key_freesp(&sp);
359 			return (EINPROGRESS); /* Pretend that we consumed it. */
360 		} else {
361 			m_freem(m);
362 			key_freesp(&sp);
363 			return (EMSGSIZE);
364 		}
365 	}
366 
367 	return (0);
368 }
369 
370 static int
371 ipsec4_common_output(struct mbuf *m, struct inpcb *inp, int forwarding)
372 {
373 	struct secpolicy *sp;
374 	int error;
375 
376 	/* Lookup for the corresponding outbound security policy */
377 	sp = ipsec4_checkpolicy(m, inp, &error, !forwarding);
378 	if (sp == NULL) {
379 		if (error == -EINVAL) {
380 			/* Discarded by policy. */
381 			m_freem(m);
382 			return (EACCES);
383 		}
384 		return (0); /* No IPsec required. */
385 	}
386 
387 	/*
388 	 * Usually we have to have tunnel mode IPsec security policy
389 	 * when we are forwarding a packet. Otherwise we could not handle
390 	 * encrypted replies, because they are not destined for us. But
391 	 * some users are doing source address translation for forwarded
392 	 * packets, and thus, even if they are forwarded, the replies will
393 	 * return back to us.
394 	 */
395 	if (!forwarding) {
396 		/*
397 		 * Do delayed checksums now because we send before
398 		 * this is done in the normal processing path.
399 		 */
400 		if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
401 			in_delayed_cksum(m);
402 			m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
403 		}
404 #if defined(SCTP) || defined(SCTP_SUPPORT)
405 		if (m->m_pkthdr.csum_flags & CSUM_SCTP) {
406 			struct ip *ip;
407 
408 			ip = mtod(m, struct ip *);
409 			sctp_delayed_cksum(m, (uint32_t)(ip->ip_hl << 2));
410 			m->m_pkthdr.csum_flags &= ~CSUM_SCTP;
411 		}
412 #endif
413 	}
414 	/* NB: callee frees mbuf and releases reference to SP */
415 	error = ipsec4_check_pmtu(m, sp, forwarding);
416 	if (error != 0) {
417 		if (error == EJUSTRETURN)
418 			return (0);
419 
420 		return (error);
421 	}
422 
423 	error = ipsec4_process_packet(m, sp, inp);
424 	if (error == EJUSTRETURN) {
425 		/*
426 		 * We had a SP with a level of 'use' and no SA. We
427 		 * will just continue to process the packet without
428 		 * IPsec processing and return without error.
429 		 */
430 		return (0);
431 	}
432 	if (error == 0)
433 		return (EINPROGRESS); /* consumed by IPsec */
434 	return (error);
435 }
436 
437 /*
438  * IPSEC_OUTPUT() method implementation for IPv4.
439  * 0 - no IPsec handling needed
440  * other values - mbuf consumed by IPsec.
441  */
442 int
443 ipsec4_output(struct mbuf *m, struct inpcb *inp)
444 {
445 
446 	/*
447 	 * If the packet is resubmitted to ip_output (e.g. after
448 	 * AH, ESP, etc. processing), there will be a tag to bypass
449 	 * the lookup and related policy checking.
450 	 */
451 	if (m_tag_find(m, PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL)
452 		return (0);
453 
454 	return (ipsec4_common_output(m, inp, 0));
455 }
456 
457 /*
458  * IPSEC_FORWARD() method implementation for IPv4.
459  * 0 - no IPsec handling needed
460  * other values - mbuf consumed by IPsec.
461  */
462 int
463 ipsec4_forward(struct mbuf *m)
464 {
465 
466 	/*
467 	 * Check if this packet has an active inbound SP and needs to be
468 	 * dropped instead of forwarded.
469 	 */
470 	if (ipsec4_in_reject(m, NULL) != 0) {
471 		m_freem(m);
472 		return (EACCES);
473 	}
474 	return (ipsec4_common_output(m, NULL, 1));
475 }
476 #endif
477 
478 #ifdef INET6
479 static int
480 in6_sa_equal_addrwithscope(const struct sockaddr_in6 *sa,
481     const struct in6_addr *ia)
482 {
483 	struct in6_addr ia2;
484 
485 	if (IN6_IS_SCOPE_LINKLOCAL(&sa->sin6_addr)) {
486 		memcpy(&ia2, &sa->sin6_addr, sizeof(ia2));
487 		ia2.s6_addr16[1] = htons(sa->sin6_scope_id);
488 		return (IN6_ARE_ADDR_EQUAL(ia, &ia2));
489 	}
490 	return (IN6_ARE_ADDR_EQUAL(&sa->sin6_addr, ia));
491 }
492 
493 static struct secasvar *
494 ipsec6_allocsa(struct mbuf *m, struct secpolicy *sp, u_int *pidx, int *error)
495 {
496 	struct secasindex *saidx, tmpsaidx;
497 	struct ipsecrequest *isr;
498 	struct sockaddr_in6 *sin6;
499 	struct secasvar *sav;
500 	struct ip6_hdr *ip6;
501 
502 	/*
503 	 * Check system global policy controls.
504 	 */
505 next:
506 	isr = sp->req[*pidx];
507 	if ((isr->saidx.proto == IPPROTO_ESP && !V_esp_enable) ||
508 	    (isr->saidx.proto == IPPROTO_AH && !V_ah_enable) ||
509 	    (isr->saidx.proto == IPPROTO_IPCOMP && !V_ipcomp_enable)) {
510 		DPRINTF(("%s: IPsec outbound packet dropped due"
511 			" to policy (check your sysctls)\n", __func__));
512 		IPSEC_OSTAT_INC(isr->saidx.proto, pdrops);
513 		*error = EHOSTUNREACH;
514 		return (NULL);
515 	}
516 	/*
517 	 * Craft SA index to search for proper SA.  Note that
518 	 * we only fillin unspecified SA peers for transport
519 	 * mode; for tunnel mode they must already be filled in.
520 	 */
521 	if (isr->saidx.mode == IPSEC_MODE_TRANSPORT) {
522 		saidx = &tmpsaidx;
523 		*saidx = isr->saidx;
524 		ip6 = mtod(m, struct ip6_hdr *);
525 		if (saidx->src.sin6.sin6_len == 0) {
526 			sin6 = (struct sockaddr_in6 *)&saidx->src;
527 			sin6->sin6_len = sizeof(*sin6);
528 			sin6->sin6_family = AF_INET6;
529 			sin6->sin6_port = IPSEC_PORT_ANY;
530 			sin6->sin6_addr = ip6->ip6_src;
531 			if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
532 				/* fix scope id for comparing SPD */
533 				sin6->sin6_addr.s6_addr16[1] = 0;
534 				sin6->sin6_scope_id =
535 				    ntohs(ip6->ip6_src.s6_addr16[1]);
536 			}
537 		}
538 		if (saidx->dst.sin6.sin6_len == 0) {
539 			sin6 = (struct sockaddr_in6 *)&saidx->dst;
540 			sin6->sin6_len = sizeof(*sin6);
541 			sin6->sin6_family = AF_INET6;
542 			sin6->sin6_port = IPSEC_PORT_ANY;
543 			sin6->sin6_addr = ip6->ip6_dst;
544 			if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
545 				/* fix scope id for comparing SPD */
546 				sin6->sin6_addr.s6_addr16[1] = 0;
547 				sin6->sin6_scope_id =
548 				    ntohs(ip6->ip6_dst.s6_addr16[1]);
549 			}
550 		}
551 	} else
552 		saidx = &sp->req[*pidx]->saidx;
553 	/*
554 	 * Lookup SA and validate it.
555 	 */
556 	sav = key_allocsa_policy(sp, saidx, error);
557 	if (sav == NULL) {
558 		IPSEC6STAT_INC(ips_out_nosa);
559 		if (*error != 0)
560 			return (NULL);
561 		if (ipsec_get_reqlevel(sp, *pidx) != IPSEC_LEVEL_REQUIRE) {
562 			/*
563 			 * We have no SA and policy that doesn't require
564 			 * this IPsec transform, thus we can continue w/o
565 			 * IPsec processing, i.e. return EJUSTRETURN.
566 			 * But first check if there is some bundled transform.
567 			 */
568 			if (sp->tcount > ++(*pidx))
569 				goto next;
570 			*error = EJUSTRETURN;
571 		}
572 		return (NULL);
573 	}
574 	IPSEC_ASSERT(sav->tdb_xform != NULL, ("SA with NULL tdb_xform"));
575 	return (sav);
576 }
577 
578 /*
579  * IPsec output logic for IPv6.
580  */
581 static int
582 ipsec6_perform_request(struct mbuf *m, struct secpolicy *sp,
583     struct inpcb *inp, u_int idx)
584 {
585 	struct ipsec_ctx_data ctx;
586 	union sockaddr_union *dst;
587 	struct secasvar *sav;
588 	struct ip6_hdr *ip6;
589 	int error, i, off;
590 
591 	IPSEC_ASSERT(idx < sp->tcount, ("Wrong IPsec request index %d", idx));
592 
593 	sav = ipsec6_allocsa(m, sp, &idx, &error);
594 	if (sav == NULL) {
595 		if (error == EJUSTRETURN) { /* No IPsec required */
596 			key_freesp(&sp);
597 			return (error);
598 		}
599 		goto bad;
600 	}
601 
602 	/* Fix IP length in case if it is not set yet. */
603 	ip6 = mtod(m, struct ip6_hdr *);
604 	ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6));
605 
606 	IPSEC_INIT_CTX(&ctx, &m, inp, sav, AF_INET6, IPSEC_ENC_BEFORE);
607 	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0)
608 		goto bad;
609 
610 	ip6 = mtod(m, struct ip6_hdr *); /* pfil can change mbuf */
611 	dst = &sav->sah->saidx.dst;
612 
613 	/* Do the appropriate encapsulation, if necessary */
614 	if (sp->req[idx]->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */
615 	    dst->sa.sa_family != AF_INET6 ||        /* PF mismatch */
616 	    ((dst->sa.sa_family == AF_INET6) &&
617 	     (!IN6_IS_ADDR_UNSPECIFIED(&dst->sin6.sin6_addr)) &&
618 	     (!in6_sa_equal_addrwithscope(&dst->sin6, &ip6->ip6_dst)))) {
619 		if (m->m_pkthdr.len - sizeof(*ip6) > IPV6_MAXPACKET) {
620 			/* No jumbogram support. */
621 			error = ENXIO;   /*XXX*/
622 			goto bad;
623 		}
624 		error = ipsec_encap(&m, &sav->sah->saidx);
625 		if (error != 0) {
626 			DPRINTF(("%s: encapsulation for SPI 0x%08x failed "
627 			    "with error %d\n", __func__, ntohl(sav->spi),
628 			    error));
629 			/* XXXAE: IPSEC_OSTAT_INC(tunnel); */
630 			goto bad;
631 		}
632 		inp = NULL;
633 	}
634 
635 	IPSEC_INIT_CTX(&ctx, &m, inp, sav, dst->sa.sa_family, IPSEC_ENC_AFTER);
636 	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0)
637 		goto bad;
638 
639 	switch(dst->sa.sa_family) {
640 #ifdef INET
641 	case AF_INET:
642 		{
643 		struct ip *ip;
644 		ip = mtod(m, struct ip *);
645 		i = ip->ip_hl << 2;
646 		off = offsetof(struct ip, ip_p);
647 		}
648 		break;
649 #endif /* AF_INET */
650 	case AF_INET6:
651 		i = sizeof(struct ip6_hdr);
652 		off = offsetof(struct ip6_hdr, ip6_nxt);
653 		break;
654 	default:
655 		DPRINTF(("%s: unsupported protocol family %u\n",
656 				 __func__, dst->sa.sa_family));
657 		error = EPFNOSUPPORT;
658 		IPSEC_OSTAT_INC(sav->sah->saidx.proto, nopf);
659 		goto bad;
660 	}
661 	error = (*sav->tdb_xform->xf_output)(m, sp, sav, idx, i, off);
662 	return (error);
663 bad:
664 	IPSEC6STAT_INC(ips_out_inval);
665 	if (m != NULL)
666 		m_freem(m);
667 	if (sav != NULL)
668 		key_freesav(&sav);
669 	key_freesp(&sp);
670 	return (error);
671 }
672 
673 int
674 ipsec6_process_packet(struct mbuf *m, struct secpolicy *sp,
675     struct inpcb *inp)
676 {
677 
678 	return (ipsec6_perform_request(m, sp, inp, 0));
679 }
680 
681 /*
682  * IPv6 implementation is based on IPv4 implementation.
683  */
684 int
685 ipsec6_check_pmtu(struct mbuf *m, struct secpolicy *sp, int forwarding)
686 {
687 	struct secasvar *sav;
688 	size_t hlen, pmtu;
689 	uint32_t idx;
690 	int error;
691 
692 	/*
693 	 * According to RFC8200 L3 fragmentation is supposed to be done only on
694 	 * locally generated packets. During L3 forwarding packets that are too
695 	 * big are always supposed to be dropped, with an ICMPv6 packet being
696 	 * sent back.
697 	 */
698 	if (!forwarding)
699 		return (0);
700 
701 	idx = sp->tcount - 1;
702 	sav = ipsec6_allocsa(m, sp, &idx, &error);
703 	if (sav == NULL) {
704 		key_freesp(&sp);
705 		/*
706 		 * No matching SA was found and SADB_ACQUIRE message was generated.
707 		 * Since we have matched a SP to this packet drop it silently.
708 		 */
709 		if (error == 0)
710 			error = EINPROGRESS;
711 		if (error != EJUSTRETURN)
712 			m_freem(m);
713 
714 		return (error);
715 	}
716 
717 	pmtu = ipsec_get_pmtu(sav);
718 	if (pmtu == 0) {
719 		key_freesav(&sav);
720 		return (0);
721 	}
722 
723 	hlen = ipsec_hdrsiz_internal(sp);
724 	key_freesav(&sav);
725 
726 	if (m_length(m, NULL) + hlen > pmtu) {
727 		/*
728 		 * If we're forwarding generate ICMPv6 message here,
729 		 * so that it contains pmtu subtracted by header size.
730 		 * Set error to EINPROGRESS, in order for the frame
731 		 * to be dropped silently.
732 		 */
733 		if (forwarding) {
734 			if (pmtu > hlen)
735 				icmp6_error(m, ICMP6_PACKET_TOO_BIG, 0, pmtu - hlen);
736 			else
737 				m_freem(m);
738 
739 			key_freesp(&sp);
740 			return (EINPROGRESS); /* Pretend that we consumed it. */
741 		}
742 	}
743 
744 	return (0);
745 }
746 
747 static int
748 ipsec6_common_output(struct mbuf *m, struct inpcb *inp, int forwarding)
749 {
750 	struct secpolicy *sp;
751 	int error;
752 
753 	/* Lookup for the corresponding outbound security policy */
754 	sp = ipsec6_checkpolicy(m, inp, &error, !forwarding);
755 	if (sp == NULL) {
756 		if (error == -EINVAL) {
757 			/* Discarded by policy. */
758 			m_freem(m);
759 			return (EACCES);
760 		}
761 		return (0); /* No IPsec required. */
762 	}
763 
764 	if (!forwarding) {
765 		/*
766 		 * Do delayed checksums now because we send before
767 		 * this is done in the normal processing path.
768 		 */
769 		if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) {
770 			in6_delayed_cksum(m, m->m_pkthdr.len -
771 			    sizeof(struct ip6_hdr), sizeof(struct ip6_hdr));
772 			m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6;
773 		}
774 #if defined(SCTP) || defined(SCTP_SUPPORT)
775 		if (m->m_pkthdr.csum_flags & CSUM_SCTP_IPV6) {
776 			sctp_delayed_cksum(m, sizeof(struct ip6_hdr));
777 			m->m_pkthdr.csum_flags &= ~CSUM_SCTP_IPV6;
778 		}
779 #endif
780 	}
781 
782 	error = ipsec6_check_pmtu(m, sp, forwarding);
783 	if (error != 0) {
784 		if (error == EJUSTRETURN)
785 			return (0);
786 
787 		return (error);
788 	}
789 
790 	/* NB: callee frees mbuf and releases reference to SP */
791 	error = ipsec6_process_packet(m, sp, inp);
792 	if (error == EJUSTRETURN) {
793 		/*
794 		 * We had a SP with a level of 'use' and no SA. We
795 		 * will just continue to process the packet without
796 		 * IPsec processing and return without error.
797 		 */
798 		return (0);
799 	}
800 	if (error == 0)
801 		return (EINPROGRESS); /* consumed by IPsec */
802 	return (error);
803 }
804 
805 /*
806  * IPSEC_OUTPUT() method implementation for IPv6.
807  * 0 - no IPsec handling needed
808  * other values - mbuf consumed by IPsec.
809  */
810 int
811 ipsec6_output(struct mbuf *m, struct inpcb *inp)
812 {
813 
814 	/*
815 	 * If the packet is resubmitted to ip_output (e.g. after
816 	 * AH, ESP, etc. processing), there will be a tag to bypass
817 	 * the lookup and related policy checking.
818 	 */
819 	if (m_tag_find(m, PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL)
820 		return (0);
821 
822 	return (ipsec6_common_output(m, inp, 0));
823 }
824 
825 /*
826  * IPSEC_FORWARD() method implementation for IPv6.
827  * 0 - no IPsec handling needed
828  * other values - mbuf consumed by IPsec.
829  */
830 int
831 ipsec6_forward(struct mbuf *m)
832 {
833 
834 	/*
835 	 * Check if this packet has an active inbound SP and needs to be
836 	 * dropped instead of forwarded.
837 	 */
838 	if (ipsec6_in_reject(m, NULL) != 0) {
839 		m_freem(m);
840 		return (EACCES);
841 	}
842 	return (ipsec6_common_output(m, NULL, 1));
843 }
844 #endif /* INET6 */
845 
846 int
847 ipsec_process_done(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav,
848     u_int idx)
849 {
850 	struct epoch_tracker et;
851 	struct xform_history *xh;
852 	struct secasindex *saidx;
853 	struct m_tag *mtag;
854 	int error;
855 
856 	saidx = &sav->sah->saidx;
857 	switch (saidx->dst.sa.sa_family) {
858 #ifdef INET
859 	case AF_INET:
860 		/* Fix the header length, for AH processing. */
861 		mtod(m, struct ip *)->ip_len = htons(m->m_pkthdr.len);
862 		break;
863 #endif /* INET */
864 #ifdef INET6
865 	case AF_INET6:
866 		/* Fix the header length, for AH processing. */
867 		if (m->m_pkthdr.len < sizeof (struct ip6_hdr)) {
868 			error = ENXIO;
869 			goto bad;
870 		}
871 		if (m->m_pkthdr.len - sizeof (struct ip6_hdr) > IPV6_MAXPACKET) {
872 			/* No jumbogram support. */
873 			error = ENXIO;	/*?*/
874 			goto bad;
875 		}
876 		mtod(m, struct ip6_hdr *)->ip6_plen =
877 			htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
878 		break;
879 #endif /* INET6 */
880 	default:
881 		DPRINTF(("%s: unknown protocol family %u\n", __func__,
882 		    saidx->dst.sa.sa_family));
883 		error = ENXIO;
884 		goto bad;
885 	}
886 
887 	/*
888 	 * Add a record of what we've done to the packet.
889 	 */
890 	mtag = m_tag_get(PACKET_TAG_IPSEC_OUT_DONE, sizeof(*xh), M_NOWAIT);
891 	if (mtag == NULL) {
892 		DPRINTF(("%s: could not get packet tag\n", __func__));
893 		error = ENOMEM;
894 		goto bad;
895 	}
896 
897 	xh = (struct xform_history *)(mtag + 1);
898 	xh->dst = saidx->dst;
899 	xh->proto = saidx->proto;
900 	xh->mode = saidx->mode;
901 	xh->spi = sav->spi;
902 	m_tag_prepend(m, mtag);
903 
904 	key_sa_recordxfer(sav, m);		/* record data transfer */
905 
906 	/*
907 	 * If there's another (bundled) SA to apply, do so.
908 	 * Note that this puts a burden on the kernel stack size.
909 	 * If this is a problem we'll need to introduce a queue
910 	 * to set the packet on so we can unwind the stack before
911 	 * doing further processing.
912 	 */
913 	if (++idx < sp->tcount) {
914 		switch (saidx->dst.sa.sa_family) {
915 #ifdef INET
916 		case AF_INET:
917 			key_freesav(&sav);
918 			IPSECSTAT_INC(ips_out_bundlesa);
919 			return (ipsec4_perform_request(m, sp, NULL, idx));
920 			/* NOTREACHED */
921 #endif
922 #ifdef INET6
923 		case AF_INET6:
924 			key_freesav(&sav);
925 			IPSEC6STAT_INC(ips_out_bundlesa);
926 			return (ipsec6_perform_request(m, sp, NULL, idx));
927 			/* NOTREACHED */
928 #endif /* INET6 */
929 		default:
930 			DPRINTF(("%s: unknown protocol family %u\n", __func__,
931 			    saidx->dst.sa.sa_family));
932 			error = EPFNOSUPPORT;
933 			goto bad;
934 		}
935 	}
936 
937 	key_freesp(&sp), sp = NULL;	/* Release reference to SP */
938 #ifdef INET
939 	/*
940 	 * Do UDP encapsulation if SA requires it.
941 	 */
942 	if (sav->natt != NULL) {
943 		error = udp_ipsec_output(m, sav);
944 		if (error != 0)
945 			goto bad;
946 	}
947 #endif /* INET */
948 	/*
949 	 * We're done with IPsec processing, transmit the packet using the
950 	 * appropriate network protocol (IP or IPv6).
951 	 */
952 	NET_EPOCH_ENTER(et);
953 	switch (saidx->dst.sa.sa_family) {
954 #ifdef INET
955 	case AF_INET:
956 		key_freesav(&sav);
957 		error = ip_output(m, NULL, NULL, IP_RAWOUTPUT, NULL, NULL);
958 		break;
959 #endif /* INET */
960 #ifdef INET6
961 	case AF_INET6:
962 		key_freesav(&sav);
963 		error = ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL);
964 		break;
965 #endif /* INET6 */
966 	default:
967 		panic("ipsec_process_done");
968 	}
969 	NET_EPOCH_EXIT(et);
970 	return (error);
971 bad:
972 	m_freem(m);
973 	key_freesav(&sav);
974 	if (sp != NULL)
975 		key_freesp(&sp);
976 	return (error);
977 }
978 
979 /*
980  * ipsec_prepend() is optimized version of M_PREPEND().
981  * ipsec_encap() is called by IPsec output routine for tunnel mode SA.
982  * It is expected that after IP encapsulation some IPsec transform will
983  * be performed. Each IPsec transform inserts its variable length header
984  * just after outer IP header using m_makespace(). If given mbuf has not
985  * enough free space at the beginning, we allocate new mbuf and reserve
986  * some space at the beginning and at the end.
987  * This helps avoid allocating of new mbuf and data copying in m_makespace(),
988  * we place outer header in the middle of mbuf's data with reserved leading
989  * and trailing space:
990  *	[ LEADINGSPACE ][ Outer IP header ][ TRAILINGSPACE ]
991  * LEADINGSPACE will be used to add ethernet header, TRAILINGSPACE will
992  * be used to inject AH/ESP/IPCOMP header.
993  */
994 #define	IPSEC_TRAILINGSPACE	(sizeof(struct udphdr) +/* NAT-T */	\
995     max(sizeof(struct newesp) + EALG_MAX_BLOCK_LEN,	/* ESP + IV */	\
996 	sizeof(struct newah) + HASH_MAX_LEN		/* AH + ICV */))
997 static struct mbuf *
998 ipsec_prepend(struct mbuf *m, int len, int how)
999 {
1000 	struct mbuf *n;
1001 
1002 	M_ASSERTPKTHDR(m);
1003 	IPSEC_ASSERT(len < MHLEN, ("wrong length"));
1004 	if (M_LEADINGSPACE(m) >= len) {
1005 		/* No need to allocate new mbuf. */
1006 		m->m_data -= len;
1007 		m->m_len += len;
1008 		m->m_pkthdr.len += len;
1009 		return (m);
1010 	}
1011 	n = m_gethdr(how, m->m_type);
1012 	if (n == NULL) {
1013 		m_freem(m);
1014 		return (NULL);
1015 	}
1016 	m_move_pkthdr(n, m);
1017 	n->m_next = m;
1018 	if (len + IPSEC_TRAILINGSPACE < M_SIZE(n))
1019 		m_align(n, len + IPSEC_TRAILINGSPACE);
1020 	n->m_len = len;
1021 	n->m_pkthdr.len += len;
1022 	return (n);
1023 }
1024 
1025 static size_t
1026 ipsec_get_pmtu(struct secasvar *sav)
1027 {
1028 	union sockaddr_union *dst;
1029 	struct in_conninfo inc;
1030 	size_t pmtu;
1031 
1032 	dst = &sav->sah->saidx.dst;
1033 	memset(&inc, 0, sizeof(inc));
1034 
1035 	switch (dst->sa.sa_family) {
1036 #ifdef INET
1037 	case AF_INET:
1038 		inc.inc_faddr = satosin(&dst->sa)->sin_addr;
1039 		break;
1040 #endif
1041 #ifdef INET6
1042 	case AF_INET6:
1043 		inc.inc6_faddr = satosin6(&dst->sa)->sin6_addr;
1044 		inc.inc_flags |= INC_ISIPV6;
1045 		break;
1046 #endif
1047 	default:
1048 		return (0);
1049 	}
1050 
1051 	pmtu = tcp_hc_getmtu(&inc);
1052 	if (pmtu != 0)
1053 		return (pmtu);
1054 
1055 	/* No entry in hostcache. Assume that PMTU is equal to link's MTU */
1056 	switch (dst->sa.sa_family) {
1057 #ifdef INET
1058 	case AF_INET:
1059 		pmtu = tcp_maxmtu(&inc, NULL);
1060 		break;
1061 #endif
1062 #ifdef INET6
1063 	case AF_INET6:
1064 		pmtu = tcp_maxmtu6(&inc, NULL);
1065 		break;
1066 #endif
1067 	default:
1068 		return (0);
1069 	}
1070 	if (pmtu == 0)
1071 		return (0);
1072 
1073 	tcp_hc_updatemtu(&inc, pmtu);
1074 
1075 	return (pmtu);
1076 }
1077 
1078 static int
1079 ipsec_encap(struct mbuf **mp, struct secasindex *saidx)
1080 {
1081 #ifdef INET6
1082 	struct ip6_hdr *ip6;
1083 #endif
1084 	struct ip *ip;
1085 #ifdef INET
1086 	int setdf;
1087 #endif
1088 	uint8_t itos, proto;
1089 
1090 	ip = mtod(*mp, struct ip *);
1091 	switch (ip->ip_v) {
1092 #ifdef INET
1093 	case IPVERSION:
1094 		proto = IPPROTO_IPIP;
1095 		/*
1096 		 * Collect IP_DF state from the inner header
1097 		 * and honor system-wide control of how to handle it.
1098 		 */
1099 		switch (V_ip4_ipsec_dfbit) {
1100 		case 0:	/* clear in outer header */
1101 		case 1:	/* set in outer header */
1102 			setdf = V_ip4_ipsec_dfbit;
1103 			break;
1104 		default:/* propagate to outer header */
1105 			setdf = (ip->ip_off & htons(IP_DF)) != 0;
1106 		}
1107 		itos = ip->ip_tos;
1108 		break;
1109 #endif
1110 #ifdef INET6
1111 	case (IPV6_VERSION >> 4):
1112 		proto = IPPROTO_IPV6;
1113 		ip6 = mtod(*mp, struct ip6_hdr *);
1114 		itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
1115 		/* scoped address handling */
1116 		in6_clearscope(&ip6->ip6_src);
1117 		in6_clearscope(&ip6->ip6_dst);
1118 		break;
1119 #endif
1120 	default:
1121 		return (EAFNOSUPPORT);
1122 	}
1123 	switch (saidx->dst.sa.sa_family) {
1124 #ifdef INET
1125 	case AF_INET:
1126 		if (saidx->src.sa.sa_family != AF_INET ||
1127 		    saidx->src.sin.sin_addr.s_addr == INADDR_ANY ||
1128 		    saidx->dst.sin.sin_addr.s_addr == INADDR_ANY)
1129 			return (EINVAL);
1130 		*mp = ipsec_prepend(*mp, sizeof(struct ip), M_NOWAIT);
1131 		if (*mp == NULL)
1132 			return (ENOBUFS);
1133 		ip = mtod(*mp, struct ip *);
1134 		ip->ip_v = IPVERSION;
1135 		ip->ip_hl = sizeof(struct ip) >> 2;
1136 		ip->ip_p = proto;
1137 		ip->ip_len = htons((*mp)->m_pkthdr.len);
1138 		ip->ip_ttl = V_ip_defttl;
1139 		ip->ip_sum = 0;
1140 		ip->ip_off = setdf ? htons(IP_DF): 0;
1141 		ip->ip_src = saidx->src.sin.sin_addr;
1142 		ip->ip_dst = saidx->dst.sin.sin_addr;
1143 		ip_ecn_ingress(V_ip4_ipsec_ecn, &ip->ip_tos, &itos);
1144 		ip_fillid(ip);
1145 		break;
1146 #endif /* INET */
1147 #ifdef INET6
1148 	case AF_INET6:
1149 		if (saidx->src.sa.sa_family != AF_INET6 ||
1150 		    IN6_IS_ADDR_UNSPECIFIED(&saidx->src.sin6.sin6_addr) ||
1151 		    IN6_IS_ADDR_UNSPECIFIED(&saidx->dst.sin6.sin6_addr))
1152 			return (EINVAL);
1153 		*mp = ipsec_prepend(*mp, sizeof(struct ip6_hdr), M_NOWAIT);
1154 		if (*mp == NULL)
1155 			return (ENOBUFS);
1156 		ip6 = mtod(*mp, struct ip6_hdr *);
1157 		ip6->ip6_flow = 0;
1158 		ip6->ip6_vfc = IPV6_VERSION;
1159 		ip6->ip6_hlim = V_ip6_defhlim;
1160 		ip6->ip6_nxt = proto;
1161 		ip6->ip6_dst = saidx->dst.sin6.sin6_addr;
1162 		/* For link-local address embed scope zone id */
1163 		if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))
1164 			ip6->ip6_dst.s6_addr16[1] =
1165 			    htons(saidx->dst.sin6.sin6_scope_id & 0xffff);
1166 		ip6->ip6_src = saidx->src.sin6.sin6_addr;
1167 		if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src))
1168 			ip6->ip6_src.s6_addr16[1] =
1169 			    htons(saidx->src.sin6.sin6_scope_id & 0xffff);
1170 		ip6->ip6_plen = htons((*mp)->m_pkthdr.len - sizeof(*ip6));
1171 		ip_ecn_ingress(V_ip6_ipsec_ecn, &proto, &itos);
1172 		ip6->ip6_flow |= htonl((uint32_t)proto << 20);
1173 		break;
1174 #endif /* INET6 */
1175 	default:
1176 		return (EAFNOSUPPORT);
1177 	}
1178 	(*mp)->m_flags &= ~(M_BCAST | M_MCAST);
1179 	return (0);
1180 }
1181