1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting 5 * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org> 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 */ 29 30 /* 31 * IPsec output processing. 32 */ 33 #include "opt_inet.h" 34 #include "opt_inet6.h" 35 #include "opt_ipsec.h" 36 #include "opt_sctp.h" 37 38 #include <sys/param.h> 39 #include <sys/systm.h> 40 #include <sys/mbuf.h> 41 #include <sys/domain.h> 42 #include <sys/protosw.h> 43 #include <sys/socket.h> 44 #include <sys/errno.h> 45 #include <sys/hhook.h> 46 #include <sys/syslog.h> 47 48 #include <net/if.h> 49 #include <net/if_enc.h> 50 #include <net/if_var.h> 51 #include <net/vnet.h> 52 53 #include <netinet/in.h> 54 #include <netinet/in_pcb.h> 55 #include <netinet/in_systm.h> 56 #include <netinet/ip.h> 57 #include <netinet/ip_var.h> 58 #include <netinet/in_var.h> 59 #include <netinet/ip_ecn.h> 60 #ifdef INET6 61 #include <netinet6/ip6_ecn.h> 62 #endif 63 #include <netinet/ip_icmp.h> 64 #include <netinet/tcp_var.h> 65 66 #include <netinet/ip6.h> 67 #ifdef INET6 68 #include <netinet6/ip6_var.h> 69 #include <netinet6/scope6_var.h> 70 #endif 71 #include <netinet/in_pcb.h> 72 #ifdef INET6 73 #include <netinet/icmp6.h> 74 #endif 75 #if defined(SCTP) || defined(SCTP_SUPPORT) 76 #include <netinet/sctp_crc32.h> 77 #endif 78 79 #include <netinet/udp.h> 80 #include <netipsec/ah.h> 81 #include <netipsec/esp.h> 82 #include <netipsec/ipsec.h> 83 #ifdef INET6 84 #include <netipsec/ipsec6.h> 85 #endif 86 #include <netipsec/ipsec_support.h> 87 #include <netipsec/ipsec_offload.h> 88 #include <netipsec/ah_var.h> 89 #include <netipsec/esp_var.h> 90 #include <netipsec/ipcomp_var.h> 91 92 #include <netipsec/xform.h> 93 94 #include <netipsec/key.h> 95 #include <netipsec/keydb.h> 96 #include <netipsec/key_debug.h> 97 98 #include <machine/in_cksum.h> 99 100 #define IPSEC_OSTAT_INC(proto, name) do { \ 101 if ((proto) == IPPROTO_ESP) \ 102 ESPSTAT_INC(esps_##name); \ 103 else if ((proto) == IPPROTO_AH)\ 104 AHSTAT_INC(ahs_##name); \ 105 else \ 106 IPCOMPSTAT_INC(ipcomps_##name); \ 107 } while (0) 108 109 static int ipsec_encap(struct mbuf **mp, struct secasindex *saidx); 110 static size_t ipsec_get_pmtu(struct secasvar *sav); 111 112 #ifdef INET 113 static struct secasvar * 114 ipsec4_allocsa(struct ifnet *ifp, struct mbuf *m, struct secpolicy *sp, 115 u_int *pidx, int *error) 116 { 117 struct secasindex *saidx, tmpsaidx; 118 struct ipsecrequest *isr; 119 struct sockaddr_in *sin; 120 struct secasvar *sav; 121 struct ip *ip; 122 123 /* 124 * Check system global policy controls. 125 */ 126 next: 127 isr = sp->req[*pidx]; 128 if ((isr->saidx.proto == IPPROTO_ESP && !V_esp_enable) || 129 (isr->saidx.proto == IPPROTO_AH && !V_ah_enable) || 130 (isr->saidx.proto == IPPROTO_IPCOMP && !V_ipcomp_enable)) { 131 DPRINTF(("%s: IPsec outbound packet dropped due" 132 " to policy (check your sysctls)\n", __func__)); 133 IPSEC_OSTAT_INC(isr->saidx.proto, pdrops); 134 *error = EHOSTUNREACH; 135 return (NULL); 136 } 137 /* 138 * Craft SA index to search for proper SA. Note that 139 * we only initialize unspecified SA peers for transport 140 * mode; for tunnel mode they must already be filled in. 141 */ 142 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT) { 143 saidx = &tmpsaidx; 144 *saidx = isr->saidx; 145 ip = mtod(m, struct ip *); 146 if (saidx->src.sa.sa_len == 0) { 147 sin = &saidx->src.sin; 148 sin->sin_len = sizeof(*sin); 149 sin->sin_family = AF_INET; 150 sin->sin_port = IPSEC_PORT_ANY; 151 sin->sin_addr = ip->ip_src; 152 } 153 if (saidx->dst.sa.sa_len == 0) { 154 sin = &saidx->dst.sin; 155 sin->sin_len = sizeof(*sin); 156 sin->sin_family = AF_INET; 157 sin->sin_port = IPSEC_PORT_ANY; 158 sin->sin_addr = ip->ip_dst; 159 } 160 } else 161 saidx = &sp->req[*pidx]->saidx; 162 /* 163 * Lookup SA and validate it. 164 */ 165 sav = key_allocsa_policy(sp, saidx, error); 166 if (sav == NULL) { 167 IPSECSTAT_INC(ips_out_nosa); 168 if (*error != 0) 169 return (NULL); 170 if (ipsec_get_reqlevel(sp, *pidx) != IPSEC_LEVEL_REQUIRE) { 171 /* 172 * We have no SA and policy that doesn't require 173 * this IPsec transform, thus we can continue w/o 174 * IPsec processing, i.e. return EJUSTRETURN. 175 * But first check if there is some bundled transform. 176 */ 177 if (sp->tcount > ++(*pidx)) 178 goto next; 179 *error = EJUSTRETURN; 180 } 181 return (NULL); 182 } 183 IPSEC_ASSERT(sav->tdb_xform != NULL, ("SA with NULL tdb_xform")); 184 return (sav); 185 } 186 187 /* 188 * IPsec output logic for IPv4. 189 */ 190 static int 191 ipsec4_perform_request(struct ifnet *ifp, struct mbuf *m, struct secpolicy *sp, 192 struct inpcb *inp, u_int idx, u_long mtu) 193 { 194 struct ipsec_ctx_data ctx; 195 union sockaddr_union *dst; 196 struct secasvar *sav; 197 struct ip *ip; 198 int error, i, off; 199 200 IPSEC_ASSERT(idx < sp->tcount, ("Wrong IPsec request index %d", idx)); 201 202 /* 203 * We hold the reference to SP. Content of SP couldn't be changed. 204 * Craft secasindex and do lookup for suitable SA. 205 * Then do encapsulation if needed and call xform's output. 206 * We need to store SP in the xform callback parameters. 207 * In xform callback we will extract SP and it can be used to 208 * determine next transform. At the end of transform we can 209 * release reference to SP. 210 */ 211 sav = ipsec4_allocsa(ifp, m, sp, &idx, &error); 212 if (sav == NULL) { 213 if (error == EJUSTRETURN) { /* No IPsec required */ 214 (void)ipsec_accel_output(ifp, m, inp, sp, NULL, 215 AF_INET, mtu); 216 key_freesp(&sp); 217 return (error); 218 } 219 goto bad; 220 } 221 /* 222 * XXXAE: most likely ip_sum at this point is wrong. 223 */ 224 IPSEC_INIT_CTX(&ctx, &m, inp, sav, AF_INET, IPSEC_ENC_BEFORE); 225 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0) 226 goto bad; 227 228 if (ipsec_accel_output(ifp, m, inp, sp, sav, AF_INET, mtu)) 229 return (EJUSTRETURN); 230 231 ip = mtod(m, struct ip *); 232 dst = &sav->sah->saidx.dst; 233 /* Do the appropriate encapsulation, if necessary */ 234 if (sp->req[idx]->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */ 235 dst->sa.sa_family != AF_INET || /* PF mismatch */ 236 (dst->sa.sa_family == AF_INET && /* Proxy */ 237 dst->sin.sin_addr.s_addr != INADDR_ANY && 238 dst->sin.sin_addr.s_addr != ip->ip_dst.s_addr)) { 239 /* Fix IPv4 header checksum and length */ 240 ip->ip_len = htons(m->m_pkthdr.len); 241 ip->ip_sum = 0; 242 ip->ip_sum = in_cksum(m, ip->ip_hl << 2); 243 error = ipsec_encap(&m, &sav->sah->saidx); 244 if (error != 0) { 245 DPRINTF(("%s: encapsulation for SPI 0x%08x failed " 246 "with error %d\n", __func__, ntohl(sav->spi), 247 error)); 248 /* XXXAE: IPSEC_OSTAT_INC(tunnel); */ 249 goto bad; 250 } 251 inp = NULL; 252 } 253 254 IPSEC_INIT_CTX(&ctx, &m, inp, sav, dst->sa.sa_family, IPSEC_ENC_AFTER); 255 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0) 256 goto bad; 257 258 /* 259 * Dispatch to the appropriate IPsec transform logic. The 260 * packet will be returned for transmission after crypto 261 * processing, etc. are completed. 262 * 263 * NB: m & sav are ``passed to caller'' who's responsible for 264 * reclaiming their resources. 265 */ 266 switch(dst->sa.sa_family) { 267 case AF_INET: 268 ip = mtod(m, struct ip *); 269 i = ip->ip_hl << 2; 270 off = offsetof(struct ip, ip_p); 271 break; 272 #ifdef INET6 273 case AF_INET6: 274 i = sizeof(struct ip6_hdr); 275 off = offsetof(struct ip6_hdr, ip6_nxt); 276 break; 277 #endif /* INET6 */ 278 default: 279 DPRINTF(("%s: unsupported protocol family %u\n", 280 __func__, dst->sa.sa_family)); 281 error = EPFNOSUPPORT; 282 IPSEC_OSTAT_INC(sav->sah->saidx.proto, nopf); 283 goto bad; 284 } 285 error = (*sav->tdb_xform->xf_output)(m, sp, sav, idx, i, off); 286 return (error); 287 bad: 288 IPSECSTAT_INC(ips_out_inval); 289 if (m != NULL) 290 m_freem(m); 291 if (sav != NULL) 292 key_freesav(&sav); 293 key_freesp(&sp); 294 return (error); 295 } 296 297 int 298 ipsec4_process_packet(struct ifnet *ifp, struct mbuf *m, struct secpolicy *sp, 299 struct inpcb *inp, u_long mtu) 300 { 301 302 return (ipsec4_perform_request(ifp, m, sp, inp, 0, mtu)); 303 } 304 305 int 306 ipsec4_check_pmtu(struct ifnet *ifp, struct mbuf *m, struct secpolicy *sp, 307 int forwarding) 308 { 309 struct secasvar *sav; 310 struct ip *ip; 311 size_t hlen, pmtu; 312 uint32_t idx; 313 int error; 314 315 /* Don't check PMTU if the frame won't have DF bit set. */ 316 if (!V_ip4_ipsec_dfbit) 317 return (0); 318 if (V_ip4_ipsec_dfbit == 1) 319 goto setdf; 320 321 /* V_ip4_ipsec_dfbit > 1 - we will copy it from inner header. */ 322 ip = mtod(m, struct ip *); 323 if (!(ip->ip_off & htons(IP_DF))) 324 return (0); 325 326 setdf: 327 idx = sp->tcount - 1; 328 sav = ipsec4_allocsa(ifp, m, sp, &idx, &error); 329 if (sav == NULL) { 330 key_freesp(&sp); 331 /* 332 * No matching SA was found and SADB_ACQUIRE message was generated. 333 * Since we have matched a SP to this packet drop it silently. 334 */ 335 if (error == 0) 336 error = EINPROGRESS; 337 if (error != EJUSTRETURN) 338 m_freem(m); 339 340 return (error); 341 } 342 343 pmtu = ipsec_get_pmtu(sav); 344 if (pmtu == 0) { 345 key_freesav(&sav); 346 return (0); 347 } 348 349 hlen = ipsec_hdrsiz_internal(sp); 350 key_freesav(&sav); 351 352 if (m_length(m, NULL) + hlen > pmtu) { 353 /* 354 * If we're forwarding generate ICMP message here, 355 * so that it contains pmtu subtracted by header size. 356 * Set error to EINPROGRESS, in order for the frame 357 * to be dropped silently. 358 */ 359 if (forwarding) { 360 if (pmtu > hlen) 361 icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG, 362 0, pmtu - hlen); 363 else 364 m_freem(m); 365 366 key_freesp(&sp); 367 return (EINPROGRESS); /* Pretend that we consumed it. */ 368 } else { 369 m_freem(m); 370 key_freesp(&sp); 371 return (EMSGSIZE); 372 } 373 } 374 375 return (0); 376 } 377 378 static int 379 ipsec4_common_output(struct ifnet *ifp, struct mbuf *m, struct inpcb *inp, 380 int forwarding, u_long mtu) 381 { 382 struct secpolicy *sp; 383 int error; 384 385 /* Lookup for the corresponding outbound security policy */ 386 sp = ipsec4_checkpolicy(m, inp, &error, !forwarding); 387 if (sp == NULL) { 388 if (error == -EINVAL) { 389 /* Discarded by policy. */ 390 m_freem(m); 391 return (EACCES); 392 } 393 return (0); /* No IPsec required. */ 394 } 395 396 /* 397 * Usually we have to have tunnel mode IPsec security policy 398 * when we are forwarding a packet. Otherwise we could not handle 399 * encrypted replies, because they are not destined for us. But 400 * some users are doing source address translation for forwarded 401 * packets, and thus, even if they are forwarded, the replies will 402 * return back to us. 403 */ 404 if (!forwarding) { 405 /* 406 * Do delayed checksums now because we send before 407 * this is done in the normal processing path. 408 */ 409 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { 410 in_delayed_cksum(m); 411 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; 412 } 413 #if defined(SCTP) || defined(SCTP_SUPPORT) 414 if (m->m_pkthdr.csum_flags & CSUM_SCTP) { 415 struct ip *ip; 416 417 ip = mtod(m, struct ip *); 418 sctp_delayed_cksum(m, (uint32_t)(ip->ip_hl << 2)); 419 m->m_pkthdr.csum_flags &= ~CSUM_SCTP; 420 } 421 #endif 422 } 423 /* NB: callee frees mbuf and releases reference to SP */ 424 error = ipsec4_check_pmtu(ifp, m, sp, forwarding); 425 if (error != 0) { 426 if (error == EJUSTRETURN) 427 return (0); 428 429 return (error); 430 } 431 432 error = ipsec4_process_packet(ifp, m, sp, inp, mtu); 433 if (error == EJUSTRETURN) { 434 /* 435 * We had a SP with a level of 'use' and no SA. We 436 * will just continue to process the packet without 437 * IPsec processing and return without error. 438 */ 439 return (0); 440 } 441 if (error == 0) 442 return (EINPROGRESS); /* consumed by IPsec */ 443 return (error); 444 } 445 446 /* 447 * IPSEC_OUTPUT() method implementation for IPv4. 448 * 0 - no IPsec handling needed 449 * other values - mbuf consumed by IPsec. 450 */ 451 int 452 ipsec4_output(struct ifnet *ifp, struct mbuf *m, struct inpcb *inp, u_long mtu) 453 { 454 455 /* 456 * If the packet is resubmitted to ip_output (e.g. after 457 * AH, ESP, etc. processing), there will be a tag to bypass 458 * the lookup and related policy checking. 459 */ 460 if (m_tag_find(m, PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL) 461 return (0); 462 463 return (ipsec4_common_output(ifp, m, inp, 0, mtu)); 464 } 465 466 /* 467 * IPSEC_FORWARD() method implementation for IPv4. 468 * 0 - no IPsec handling needed 469 * other values - mbuf consumed by IPsec. 470 */ 471 int 472 ipsec4_forward(struct mbuf *m) 473 { 474 475 /* 476 * Check if this packet has an active inbound SP and needs to be 477 * dropped instead of forwarded. 478 */ 479 if (ipsec4_in_reject(m, NULL) != 0) { 480 m_freem(m); 481 return (EACCES); 482 } 483 return (ipsec4_common_output(NULL /* XXXKIB */, m, NULL, 1, 0)); 484 } 485 #endif 486 487 #ifdef INET6 488 static int 489 in6_sa_equal_addrwithscope(const struct sockaddr_in6 *sa, 490 const struct in6_addr *ia) 491 { 492 struct in6_addr ia2; 493 494 if (IN6_IS_SCOPE_LINKLOCAL(&sa->sin6_addr)) { 495 memcpy(&ia2, &sa->sin6_addr, sizeof(ia2)); 496 ia2.s6_addr16[1] = htons(sa->sin6_scope_id); 497 return (IN6_ARE_ADDR_EQUAL(ia, &ia2)); 498 } 499 return (IN6_ARE_ADDR_EQUAL(&sa->sin6_addr, ia)); 500 } 501 502 static struct secasvar * 503 ipsec6_allocsa(struct ifnet *ifp, struct mbuf *m, struct secpolicy *sp, 504 u_int *pidx, int *error) 505 { 506 struct secasindex *saidx, tmpsaidx; 507 struct ipsecrequest *isr; 508 struct sockaddr_in6 *sin6; 509 struct secasvar *sav; 510 struct ip6_hdr *ip6; 511 512 /* 513 * Check system global policy controls. 514 */ 515 next: 516 isr = sp->req[*pidx]; 517 if ((isr->saidx.proto == IPPROTO_ESP && !V_esp_enable) || 518 (isr->saidx.proto == IPPROTO_AH && !V_ah_enable) || 519 (isr->saidx.proto == IPPROTO_IPCOMP && !V_ipcomp_enable)) { 520 DPRINTF(("%s: IPsec outbound packet dropped due" 521 " to policy (check your sysctls)\n", __func__)); 522 IPSEC_OSTAT_INC(isr->saidx.proto, pdrops); 523 *error = EHOSTUNREACH; 524 return (NULL); 525 } 526 /* 527 * Craft SA index to search for proper SA. Note that 528 * we only fillin unspecified SA peers for transport 529 * mode; for tunnel mode they must already be filled in. 530 */ 531 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT) { 532 saidx = &tmpsaidx; 533 *saidx = isr->saidx; 534 ip6 = mtod(m, struct ip6_hdr *); 535 if (saidx->src.sin6.sin6_len == 0) { 536 sin6 = (struct sockaddr_in6 *)&saidx->src; 537 sin6->sin6_len = sizeof(*sin6); 538 sin6->sin6_family = AF_INET6; 539 sin6->sin6_port = IPSEC_PORT_ANY; 540 sin6->sin6_addr = ip6->ip6_src; 541 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) { 542 /* fix scope id for comparing SPD */ 543 sin6->sin6_addr.s6_addr16[1] = 0; 544 sin6->sin6_scope_id = 545 ntohs(ip6->ip6_src.s6_addr16[1]); 546 } 547 } 548 if (saidx->dst.sin6.sin6_len == 0) { 549 sin6 = (struct sockaddr_in6 *)&saidx->dst; 550 sin6->sin6_len = sizeof(*sin6); 551 sin6->sin6_family = AF_INET6; 552 sin6->sin6_port = IPSEC_PORT_ANY; 553 sin6->sin6_addr = ip6->ip6_dst; 554 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) { 555 /* fix scope id for comparing SPD */ 556 sin6->sin6_addr.s6_addr16[1] = 0; 557 sin6->sin6_scope_id = 558 ntohs(ip6->ip6_dst.s6_addr16[1]); 559 } 560 } 561 } else 562 saidx = &sp->req[*pidx]->saidx; 563 /* 564 * Lookup SA and validate it. 565 */ 566 sav = key_allocsa_policy(sp, saidx, error); 567 if (sav == NULL) { 568 IPSEC6STAT_INC(ips_out_nosa); 569 if (*error != 0) 570 return (NULL); 571 if (ipsec_get_reqlevel(sp, *pidx) != IPSEC_LEVEL_REQUIRE) { 572 /* 573 * We have no SA and policy that doesn't require 574 * this IPsec transform, thus we can continue w/o 575 * IPsec processing, i.e. return EJUSTRETURN. 576 * But first check if there is some bundled transform. 577 */ 578 if (sp->tcount > ++(*pidx)) 579 goto next; 580 *error = EJUSTRETURN; 581 } 582 return (NULL); 583 } 584 IPSEC_ASSERT(sav->tdb_xform != NULL, ("SA with NULL tdb_xform")); 585 return (sav); 586 } 587 588 /* 589 * IPsec output logic for IPv6. 590 */ 591 static int 592 ipsec6_perform_request(struct ifnet *ifp, struct mbuf *m, struct secpolicy *sp, 593 struct inpcb *inp, u_int idx, u_long mtu) 594 { 595 struct ipsec_ctx_data ctx; 596 union sockaddr_union *dst; 597 struct secasvar *sav; 598 struct ip6_hdr *ip6; 599 int error, i, off; 600 601 IPSEC_ASSERT(idx < sp->tcount, ("Wrong IPsec request index %d", idx)); 602 603 sav = ipsec6_allocsa(ifp, m, sp, &idx, &error); 604 if (sav == NULL) { 605 if (error == EJUSTRETURN) { /* No IPsec required */ 606 (void)ipsec_accel_output(ifp, m, inp, sp, NULL, 607 AF_INET6, mtu); 608 key_freesp(&sp); 609 return (error); 610 } 611 goto bad; 612 } 613 614 /* Fix IP length in case if it is not set yet. */ 615 ip6 = mtod(m, struct ip6_hdr *); 616 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6)); 617 618 IPSEC_INIT_CTX(&ctx, &m, inp, sav, AF_INET6, IPSEC_ENC_BEFORE); 619 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0) 620 goto bad; 621 622 if (ipsec_accel_output(ifp, m, inp, sp, sav, AF_INET6, mtu)) 623 return (EJUSTRETURN); 624 625 ip6 = mtod(m, struct ip6_hdr *); /* pfil can change mbuf */ 626 dst = &sav->sah->saidx.dst; 627 628 /* Do the appropriate encapsulation, if necessary */ 629 if (sp->req[idx]->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */ 630 dst->sa.sa_family != AF_INET6 || /* PF mismatch */ 631 ((dst->sa.sa_family == AF_INET6) && 632 (!IN6_IS_ADDR_UNSPECIFIED(&dst->sin6.sin6_addr)) && 633 (!in6_sa_equal_addrwithscope(&dst->sin6, &ip6->ip6_dst)))) { 634 if (m->m_pkthdr.len - sizeof(*ip6) > IPV6_MAXPACKET) { 635 /* No jumbogram support. */ 636 error = ENXIO; /*XXX*/ 637 goto bad; 638 } 639 error = ipsec_encap(&m, &sav->sah->saidx); 640 if (error != 0) { 641 DPRINTF(("%s: encapsulation for SPI 0x%08x failed " 642 "with error %d\n", __func__, ntohl(sav->spi), 643 error)); 644 /* XXXAE: IPSEC_OSTAT_INC(tunnel); */ 645 goto bad; 646 } 647 inp = NULL; 648 } 649 650 IPSEC_INIT_CTX(&ctx, &m, inp, sav, dst->sa.sa_family, IPSEC_ENC_AFTER); 651 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0) 652 goto bad; 653 654 switch(dst->sa.sa_family) { 655 #ifdef INET 656 case AF_INET: 657 { 658 struct ip *ip; 659 ip = mtod(m, struct ip *); 660 i = ip->ip_hl << 2; 661 off = offsetof(struct ip, ip_p); 662 } 663 break; 664 #endif /* AF_INET */ 665 case AF_INET6: 666 i = sizeof(struct ip6_hdr); 667 off = offsetof(struct ip6_hdr, ip6_nxt); 668 break; 669 default: 670 DPRINTF(("%s: unsupported protocol family %u\n", 671 __func__, dst->sa.sa_family)); 672 error = EPFNOSUPPORT; 673 IPSEC_OSTAT_INC(sav->sah->saidx.proto, nopf); 674 goto bad; 675 } 676 error = (*sav->tdb_xform->xf_output)(m, sp, sav, idx, i, off); 677 return (error); 678 bad: 679 IPSEC6STAT_INC(ips_out_inval); 680 if (m != NULL) 681 m_freem(m); 682 if (sav != NULL) 683 key_freesav(&sav); 684 key_freesp(&sp); 685 return (error); 686 } 687 688 int 689 ipsec6_process_packet(struct ifnet *ifp, struct mbuf *m, struct secpolicy *sp, 690 struct inpcb *inp, u_long mtu) 691 { 692 693 return (ipsec6_perform_request(ifp, m, sp, inp, 0, mtu)); 694 } 695 696 /* 697 * IPv6 implementation is based on IPv4 implementation. 698 */ 699 int 700 ipsec6_check_pmtu(struct ifnet *ifp, struct mbuf *m, struct secpolicy *sp, 701 int forwarding) 702 { 703 struct secasvar *sav; 704 size_t hlen, pmtu; 705 uint32_t idx; 706 int error; 707 708 /* 709 * According to RFC8200 L3 fragmentation is supposed to be done only on 710 * locally generated packets. During L3 forwarding packets that are too 711 * big are always supposed to be dropped, with an ICMPv6 packet being 712 * sent back. 713 */ 714 if (!forwarding) 715 return (0); 716 717 idx = sp->tcount - 1; 718 sav = ipsec6_allocsa(ifp, m, sp, &idx, &error); 719 if (sav == NULL) { 720 key_freesp(&sp); 721 /* 722 * No matching SA was found and SADB_ACQUIRE message was generated. 723 * Since we have matched a SP to this packet drop it silently. 724 */ 725 if (error == 0) 726 error = EINPROGRESS; 727 if (error != EJUSTRETURN) 728 m_freem(m); 729 730 return (error); 731 } 732 733 pmtu = ipsec_get_pmtu(sav); 734 if (pmtu == 0) { 735 key_freesav(&sav); 736 return (0); 737 } 738 739 hlen = ipsec_hdrsiz_internal(sp); 740 key_freesav(&sav); 741 742 if (m_length(m, NULL) + hlen > pmtu) { 743 /* 744 * If we're forwarding generate ICMPv6 message here, 745 * so that it contains pmtu subtracted by header size. 746 * Set error to EINPROGRESS, in order for the frame 747 * to be dropped silently. 748 */ 749 if (forwarding) { 750 if (pmtu > hlen) 751 icmp6_error(m, ICMP6_PACKET_TOO_BIG, 0, pmtu - hlen); 752 else 753 m_freem(m); 754 755 key_freesp(&sp); 756 return (EINPROGRESS); /* Pretend that we consumed it. */ 757 } 758 } 759 760 return (0); 761 } 762 763 static int 764 ipsec6_common_output(struct ifnet *ifp, struct mbuf *m, struct inpcb *inp, 765 int forwarding, u_long mtu) 766 { 767 struct secpolicy *sp; 768 int error; 769 770 /* Lookup for the corresponding outbound security policy */ 771 sp = ipsec6_checkpolicy(m, inp, &error, !forwarding); 772 if (sp == NULL) { 773 if (error == -EINVAL) { 774 /* Discarded by policy. */ 775 m_freem(m); 776 return (EACCES); 777 } 778 return (0); /* No IPsec required. */ 779 } 780 781 if (!forwarding) { 782 /* 783 * Do delayed checksums now because we send before 784 * this is done in the normal processing path. 785 */ 786 if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) { 787 in6_delayed_cksum(m, m->m_pkthdr.len - 788 sizeof(struct ip6_hdr), sizeof(struct ip6_hdr)); 789 m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6; 790 } 791 #if defined(SCTP) || defined(SCTP_SUPPORT) 792 if (m->m_pkthdr.csum_flags & CSUM_SCTP_IPV6) { 793 sctp_delayed_cksum(m, sizeof(struct ip6_hdr)); 794 m->m_pkthdr.csum_flags &= ~CSUM_SCTP_IPV6; 795 } 796 #endif 797 } 798 799 error = ipsec6_check_pmtu(ifp, m, sp, forwarding); 800 if (error != 0) { 801 if (error == EJUSTRETURN) 802 return (0); 803 804 return (error); 805 } 806 807 /* NB: callee frees mbuf and releases reference to SP */ 808 error = ipsec6_process_packet(ifp, m, sp, inp, mtu); 809 if (error == EJUSTRETURN) { 810 /* 811 * We had a SP with a level of 'use' and no SA. We 812 * will just continue to process the packet without 813 * IPsec processing and return without error. 814 */ 815 return (0); 816 } 817 if (error == 0) 818 return (EINPROGRESS); /* consumed by IPsec */ 819 return (error); 820 } 821 822 /* 823 * IPSEC_OUTPUT() method implementation for IPv6. 824 * 0 - no IPsec handling needed 825 * other values - mbuf consumed by IPsec. 826 */ 827 int 828 ipsec6_output(struct ifnet *ifp, struct mbuf *m, struct inpcb *inp, u_long mtu) 829 { 830 831 /* 832 * If the packet is resubmitted to ip_output (e.g. after 833 * AH, ESP, etc. processing), there will be a tag to bypass 834 * the lookup and related policy checking. 835 */ 836 if (m_tag_find(m, PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL) 837 return (0); 838 839 return (ipsec6_common_output(ifp, m, inp, 0, mtu)); 840 } 841 842 /* 843 * IPSEC_FORWARD() method implementation for IPv6. 844 * 0 - no IPsec handling needed 845 * other values - mbuf consumed by IPsec. 846 */ 847 int 848 ipsec6_forward(struct mbuf *m) 849 { 850 851 /* 852 * Check if this packet has an active inbound SP and needs to be 853 * dropped instead of forwarded. 854 */ 855 if (ipsec6_in_reject(m, NULL) != 0) { 856 m_freem(m); 857 return (EACCES); 858 } 859 return (ipsec6_common_output(NULL /* XXXKIB */, m, NULL, 1, 0)); 860 } 861 #endif /* INET6 */ 862 863 int 864 ipsec_process_done(struct mbuf *m, struct secpolicy *sp, struct secasvar *sav, 865 u_int idx) 866 { 867 struct epoch_tracker et; 868 struct xform_history *xh; 869 struct secasindex *saidx; 870 struct m_tag *mtag; 871 int error; 872 873 if (sav->state >= SADB_SASTATE_DEAD) { 874 error = ESRCH; 875 goto bad; 876 } 877 saidx = &sav->sah->saidx; 878 switch (saidx->dst.sa.sa_family) { 879 #ifdef INET 880 case AF_INET: 881 /* Fix the header length, for AH processing. */ 882 mtod(m, struct ip *)->ip_len = htons(m->m_pkthdr.len); 883 break; 884 #endif /* INET */ 885 #ifdef INET6 886 case AF_INET6: 887 /* Fix the header length, for AH processing. */ 888 if (m->m_pkthdr.len < sizeof (struct ip6_hdr)) { 889 error = ENXIO; 890 goto bad; 891 } 892 if (m->m_pkthdr.len - sizeof (struct ip6_hdr) > IPV6_MAXPACKET) { 893 /* No jumbogram support. */ 894 error = ENXIO; /*?*/ 895 goto bad; 896 } 897 mtod(m, struct ip6_hdr *)->ip6_plen = 898 htons(m->m_pkthdr.len - sizeof(struct ip6_hdr)); 899 break; 900 #endif /* INET6 */ 901 default: 902 DPRINTF(("%s: unknown protocol family %u\n", __func__, 903 saidx->dst.sa.sa_family)); 904 error = ENXIO; 905 goto bad; 906 } 907 908 /* 909 * Add a record of what we've done to the packet. 910 */ 911 mtag = m_tag_get(PACKET_TAG_IPSEC_OUT_DONE, sizeof(*xh), M_NOWAIT); 912 if (mtag == NULL) { 913 DPRINTF(("%s: could not get packet tag\n", __func__)); 914 error = ENOMEM; 915 goto bad; 916 } 917 918 xh = (struct xform_history *)(mtag + 1); 919 xh->dst = saidx->dst; 920 xh->proto = saidx->proto; 921 xh->mode = saidx->mode; 922 xh->spi = sav->spi; 923 m_tag_prepend(m, mtag); 924 925 key_sa_recordxfer(sav, m); /* record data transfer */ 926 927 /* 928 * If there's another (bundled) SA to apply, do so. 929 * Note that this puts a burden on the kernel stack size. 930 * If this is a problem we'll need to introduce a queue 931 * to set the packet on so we can unwind the stack before 932 * doing further processing. 933 */ 934 if (++idx < sp->tcount) { 935 switch (saidx->dst.sa.sa_family) { 936 #ifdef INET 937 case AF_INET: 938 key_freesav(&sav); 939 IPSECSTAT_INC(ips_out_bundlesa); 940 return (ipsec4_perform_request(NULL, m, sp, NULL, 941 idx, 0)); 942 /* NOTREACHED */ 943 #endif 944 #ifdef INET6 945 case AF_INET6: 946 key_freesav(&sav); 947 IPSEC6STAT_INC(ips_out_bundlesa); 948 return (ipsec6_perform_request(NULL, m, sp, NULL, 949 idx, 0)); 950 /* NOTREACHED */ 951 #endif /* INET6 */ 952 default: 953 DPRINTF(("%s: unknown protocol family %u\n", __func__, 954 saidx->dst.sa.sa_family)); 955 error = EPFNOSUPPORT; 956 goto bad; 957 } 958 } 959 960 key_freesp(&sp), sp = NULL; /* Release reference to SP */ 961 #if defined(INET) || defined(INET6) 962 /* 963 * Do UDP encapsulation if SA requires it. 964 */ 965 if (sav->natt != NULL) { 966 error = udp_ipsec_output(m, sav); 967 if (error != 0) 968 goto bad; 969 } 970 #endif /* INET || INET6 */ 971 /* 972 * We're done with IPsec processing, transmit the packet using the 973 * appropriate network protocol (IP or IPv6). 974 */ 975 NET_EPOCH_ENTER(et); 976 switch (saidx->dst.sa.sa_family) { 977 #ifdef INET 978 case AF_INET: 979 key_freesav(&sav); 980 error = ip_output(m, NULL, NULL, IP_RAWOUTPUT, NULL, NULL); 981 break; 982 #endif /* INET */ 983 #ifdef INET6 984 case AF_INET6: 985 key_freesav(&sav); 986 error = ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL); 987 break; 988 #endif /* INET6 */ 989 default: 990 panic("ipsec_process_done"); 991 } 992 NET_EPOCH_EXIT(et); 993 return (error); 994 bad: 995 m_freem(m); 996 key_freesav(&sav); 997 if (sp != NULL) 998 key_freesp(&sp); 999 return (error); 1000 } 1001 1002 /* 1003 * ipsec_prepend() is optimized version of M_PREPEND(). 1004 * ipsec_encap() is called by IPsec output routine for tunnel mode SA. 1005 * It is expected that after IP encapsulation some IPsec transform will 1006 * be performed. Each IPsec transform inserts its variable length header 1007 * just after outer IP header using m_makespace(). If given mbuf has not 1008 * enough free space at the beginning, we allocate new mbuf and reserve 1009 * some space at the beginning and at the end. 1010 * This helps avoid allocating of new mbuf and data copying in m_makespace(), 1011 * we place outer header in the middle of mbuf's data with reserved leading 1012 * and trailing space: 1013 * [ LEADINGSPACE ][ Outer IP header ][ TRAILINGSPACE ] 1014 * LEADINGSPACE will be used to add ethernet header, TRAILINGSPACE will 1015 * be used to inject AH/ESP/IPCOMP header. 1016 */ 1017 #define IPSEC_TRAILINGSPACE (sizeof(struct udphdr) +/* NAT-T */ \ 1018 max(sizeof(struct newesp) + EALG_MAX_BLOCK_LEN, /* ESP + IV */ \ 1019 sizeof(struct newah) + HASH_MAX_LEN /* AH + ICV */)) 1020 static struct mbuf * 1021 ipsec_prepend(struct mbuf *m, int len, int how) 1022 { 1023 struct mbuf *n; 1024 1025 M_ASSERTPKTHDR(m); 1026 IPSEC_ASSERT(len < MHLEN, ("wrong length")); 1027 if (M_LEADINGSPACE(m) >= len) { 1028 /* No need to allocate new mbuf. */ 1029 m->m_data -= len; 1030 m->m_len += len; 1031 m->m_pkthdr.len += len; 1032 return (m); 1033 } 1034 n = m_gethdr(how, m->m_type); 1035 if (n == NULL) { 1036 m_freem(m); 1037 return (NULL); 1038 } 1039 m_move_pkthdr(n, m); 1040 n->m_next = m; 1041 if (len + IPSEC_TRAILINGSPACE < M_SIZE(n)) 1042 m_align(n, len + IPSEC_TRAILINGSPACE); 1043 n->m_len = len; 1044 n->m_pkthdr.len += len; 1045 return (n); 1046 } 1047 1048 static size_t 1049 ipsec_get_pmtu(struct secasvar *sav) 1050 { 1051 union sockaddr_union *dst; 1052 struct in_conninfo inc; 1053 size_t pmtu; 1054 1055 dst = &sav->sah->saidx.dst; 1056 memset(&inc, 0, sizeof(inc)); 1057 1058 switch (dst->sa.sa_family) { 1059 #ifdef INET 1060 case AF_INET: 1061 inc.inc_faddr = satosin(&dst->sa)->sin_addr; 1062 break; 1063 #endif 1064 #ifdef INET6 1065 case AF_INET6: 1066 inc.inc6_faddr = satosin6(&dst->sa)->sin6_addr; 1067 inc.inc_flags |= INC_ISIPV6; 1068 break; 1069 #endif 1070 default: 1071 return (0); 1072 } 1073 1074 pmtu = tcp_hc_getmtu(&inc); 1075 if (pmtu != 0) 1076 return (pmtu); 1077 1078 /* No entry in hostcache. Assume that PMTU is equal to link's MTU */ 1079 switch (dst->sa.sa_family) { 1080 #ifdef INET 1081 case AF_INET: 1082 pmtu = tcp_maxmtu(&inc, NULL); 1083 break; 1084 #endif 1085 #ifdef INET6 1086 case AF_INET6: 1087 pmtu = tcp_maxmtu6(&inc, NULL); 1088 break; 1089 #endif 1090 default: 1091 return (0); 1092 } 1093 if (pmtu == 0) 1094 return (0); 1095 1096 tcp_hc_updatemtu(&inc, pmtu); 1097 1098 return (pmtu); 1099 } 1100 1101 static int 1102 ipsec_encap(struct mbuf **mp, struct secasindex *saidx) 1103 { 1104 #ifdef INET6 1105 struct ip6_hdr *ip6; 1106 #endif 1107 struct ip *ip; 1108 #ifdef INET 1109 int setdf; 1110 #endif 1111 uint8_t itos, proto; 1112 1113 ip = mtod(*mp, struct ip *); 1114 switch (ip->ip_v) { 1115 #ifdef INET 1116 case IPVERSION: 1117 proto = IPPROTO_IPIP; 1118 /* 1119 * Collect IP_DF state from the inner header 1120 * and honor system-wide control of how to handle it. 1121 */ 1122 switch (V_ip4_ipsec_dfbit) { 1123 case 0: /* clear in outer header */ 1124 case 1: /* set in outer header */ 1125 setdf = V_ip4_ipsec_dfbit; 1126 break; 1127 default:/* propagate to outer header */ 1128 setdf = (ip->ip_off & htons(IP_DF)) != 0; 1129 } 1130 itos = ip->ip_tos; 1131 break; 1132 #endif 1133 #ifdef INET6 1134 case (IPV6_VERSION >> 4): 1135 proto = IPPROTO_IPV6; 1136 ip6 = mtod(*mp, struct ip6_hdr *); 1137 itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; 1138 /* scoped address handling */ 1139 in6_clearscope(&ip6->ip6_src); 1140 in6_clearscope(&ip6->ip6_dst); 1141 break; 1142 #endif 1143 default: 1144 return (EAFNOSUPPORT); 1145 } 1146 switch (saidx->dst.sa.sa_family) { 1147 #ifdef INET 1148 case AF_INET: 1149 if (saidx->src.sa.sa_family != AF_INET || 1150 saidx->src.sin.sin_addr.s_addr == INADDR_ANY || 1151 saidx->dst.sin.sin_addr.s_addr == INADDR_ANY) 1152 return (EINVAL); 1153 *mp = ipsec_prepend(*mp, sizeof(struct ip), M_NOWAIT); 1154 if (*mp == NULL) 1155 return (ENOBUFS); 1156 ip = mtod(*mp, struct ip *); 1157 ip->ip_v = IPVERSION; 1158 ip->ip_hl = sizeof(struct ip) >> 2; 1159 ip->ip_p = proto; 1160 ip->ip_len = htons((*mp)->m_pkthdr.len); 1161 ip->ip_ttl = V_ip_defttl; 1162 ip->ip_sum = 0; 1163 ip->ip_off = setdf ? htons(IP_DF): 0; 1164 ip->ip_src = saidx->src.sin.sin_addr; 1165 ip->ip_dst = saidx->dst.sin.sin_addr; 1166 ip_ecn_ingress(V_ip4_ipsec_ecn, &ip->ip_tos, &itos); 1167 ip_fillid(ip); 1168 break; 1169 #endif /* INET */ 1170 #ifdef INET6 1171 case AF_INET6: 1172 if (saidx->src.sa.sa_family != AF_INET6 || 1173 IN6_IS_ADDR_UNSPECIFIED(&saidx->src.sin6.sin6_addr) || 1174 IN6_IS_ADDR_UNSPECIFIED(&saidx->dst.sin6.sin6_addr)) 1175 return (EINVAL); 1176 *mp = ipsec_prepend(*mp, sizeof(struct ip6_hdr), M_NOWAIT); 1177 if (*mp == NULL) 1178 return (ENOBUFS); 1179 ip6 = mtod(*mp, struct ip6_hdr *); 1180 ip6->ip6_flow = 0; 1181 ip6->ip6_vfc = IPV6_VERSION; 1182 ip6->ip6_hlim = V_ip6_defhlim; 1183 ip6->ip6_nxt = proto; 1184 ip6->ip6_dst = saidx->dst.sin6.sin6_addr; 1185 /* For link-local address embed scope zone id */ 1186 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) 1187 ip6->ip6_dst.s6_addr16[1] = 1188 htons(saidx->dst.sin6.sin6_scope_id & 0xffff); 1189 ip6->ip6_src = saidx->src.sin6.sin6_addr; 1190 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) 1191 ip6->ip6_src.s6_addr16[1] = 1192 htons(saidx->src.sin6.sin6_scope_id & 0xffff); 1193 ip6->ip6_plen = htons((*mp)->m_pkthdr.len - sizeof(*ip6)); 1194 ip_ecn_ingress(V_ip6_ipsec_ecn, &proto, &itos); 1195 ip6->ip6_flow |= htonl((uint32_t)proto << 20); 1196 break; 1197 #endif /* INET6 */ 1198 default: 1199 return (EAFNOSUPPORT); 1200 } 1201 (*mp)->m_flags &= ~(M_BCAST | M_MCAST); 1202 return (0); 1203 } 1204