search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dma: add DragonFly compat files
[dragonfly.git] / sys / netproto / ipsec / ipsec_output.c
blobd31f1b909976627ca64fd3ad291c25b14e8ab344
1 /*-
2 * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24 * SUCH DAMAGE.
25 *
26 * $FreeBSD: src/sys/netipsec/ipsec_output.c,v 1.3.2.2 2003/03/28 20:32:53 sam Exp $
27 * $DragonFly: src/sys/netproto/ipsec/ipsec_output.c,v 1.12 2008/05/27 01:10:44 dillon Exp $
28 */
29
30 /*
31 * IPsec output processing.
32 */
33 #include "opt_inet.h"
34 #include "opt_inet6.h"
35 #include "opt_ipsec.h"
36
37 #include <sys/param.h>
38 #include <sys/systm.h>
39 #include <sys/mbuf.h>
40 #include <sys/domain.h>
41 #include <sys/protosw.h>
42 #include <sys/socket.h>
43 #include <sys/errno.h>
44 #include <sys/syslog.h>
45 #include <sys/in_cksum.h>
46
47 #include <net/if.h>
48 #include <net/route.h>
49
50 #include <netinet/in.h>
51 #include <netinet/in_systm.h>
52 #include <netinet/ip.h>
53 #include <netinet/ip_var.h>
54 #include <netinet/in_var.h>
55 #include <netinet/ip_ecn.h>
56 #ifdef INET6
57 #include <netinet6/ip6_ecn.h>
58 #endif
59
60 #include <netinet/ip6.h>
61 #ifdef INET6
62 #include <netinet6/ip6_var.h>
63 #endif
64 #include <netinet/in_pcb.h>
65 #ifdef INET6
66 #include <netinet/icmp6.h>
67 #endif
68
69 #include <netproto/ipsec/ipsec.h>
70 #ifdef INET6
71 #include <netproto/ipsec/ipsec6.h>
72 #endif
73 #include <netproto/ipsec/ah_var.h>
74 #include <netproto/ipsec/esp_var.h>
75 #include <netproto/ipsec/ipcomp_var.h>
76
77 #include <netproto/ipsec/xform.h>
78
79 #include <netproto/ipsec/key.h>
80 #include <netproto/ipsec/keydb.h>
81 #include <netproto/ipsec/key_debug.h>
82
83 int
84 ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
85 {
86 struct tdb_ident *tdbi;
87 struct m_tag *mtag;
88 struct secasvar *sav;
89 struct secasindex *saidx;
90 int error;
91
92 KASSERT(m != NULL, ("ipsec_process_done: null mbuf"));
93 KASSERT(isr != NULL, ("ipsec_process_done: null ISR"));
94 sav = isr->sav;
95 KASSERT(sav != NULL, ("ipsec_process_done: null SA"));
96 KASSERT(sav->sah != NULL, ("ipsec_process_done: null SAH"));
97
98 saidx = &sav->sah->saidx;
99 switch (saidx->dst.sa.sa_family) {
100 #ifdef INET
101 case AF_INET:
102 /* Fix the header length, for AH processing. */
103 mtod(m, struct ip *)->ip_len = htons(m->m_pkthdr.len);
104 break;
105 #endif /* INET */
106 #ifdef INET6
107 case AF_INET6:
108 /* Fix the header length, for AH processing. */
109 if (m->m_pkthdr.len < sizeof (struct ip6_hdr)) {
110 error = ENXIO;
111 goto bad;
112 }
113 if (m->m_pkthdr.len - sizeof (struct ip6_hdr) > IPV6_MAXPACKET) {
114 /* No jumbogram support. */
115 error = ENXIO; /*?*/
116 goto bad;
117 }
118 mtod(m, struct ip6_hdr *)->ip6_plen =
119 htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
120 break;
121 #endif /* INET6 */
122 default:
123 DPRINTF(("ipsec_process_done: unknown protocol family %u\n",
124 saidx->dst.sa.sa_family));
125 error = ENXIO;
126 goto bad;
127 }
128
129 /*
130 * Add a record of what we've done or what needs to be done to the
131 * packet.
132 */
133 mtag = m_tag_get(PACKET_TAG_IPSEC_OUT_DONE,
134 sizeof(struct tdb_ident), MB_DONTWAIT);
135 if (mtag == NULL) {
136 DPRINTF(("ipsec_process_done: could not get packet tag\n"));
137 error = ENOMEM;
138 goto bad;
139 }
140
141 tdbi = (struct tdb_ident *)m_tag_data(mtag);
142 tdbi->dst = saidx->dst;
143 tdbi->proto = saidx->proto;
144 tdbi->spi = sav->spi;
145 m_tag_prepend(m, mtag);
146
147 /*
148 * If there's another (bundled) SA to apply, do so.
149 * Note that this puts a burden on the kernel stack size.
150 * If this is a problem we'll need to introduce a queue
151 * to set the packet on so we can unwind the stack before
152 * doing further processing.
153 */
154 if (isr->next) {
155 newipsecstat.ips_out_bundlesa++;
156 return ipsec4_process_packet(m, isr->next, 0, 0);
157 }
158
159 /*
160 * We're done with IPsec processing, transmit the packet using the
161 * appropriate network protocol (IP or IPv6). SPD lookup will be
162 * performed again there.
163 */
164 switch (saidx->dst.sa.sa_family) {
165 #ifdef INET
166 struct ip *ip;
167 case AF_INET:
168 ip = mtod(m, struct ip *);
169 ip->ip_len = ntohs(ip->ip_len);
170 ip->ip_off = ntohs(ip->ip_off);
171
172 return ip_output(m, NULL, NULL, IP_RAWOUTPUT, NULL, NULL);
173 #endif /* INET */
174 #ifdef INET6
175 case AF_INET6:
176 /*
177 * We don't need massage, IPv6 header fields are always in
178 * net endian.
179 */
180 return ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL);
181 #endif /* INET6 */
182 }
183 panic("ipsec_process_done");
184 bad:
185 m_freem(m);
186 KEY_FREESAV(&sav);
187 return (error);
188 }
189
190 static struct ipsecrequest *
191 ipsec_nextisr(
192 struct mbuf *m,
193 struct ipsecrequest *isr,
194 int af,
195 struct secasindex *saidx,
196 int *error
197 )
198 {
199 #define IPSEC_OSTAT(x,y,z) (isr->saidx.proto == IPPROTO_ESP ? (x)++ : \
200 isr->saidx.proto == IPPROTO_AH ? (y)++ : (z)++)
201 struct secasvar *sav;
202
203 KASSERT(af == AF_INET || af == AF_INET6,
204 ("ipsec_nextisr: invalid address family %u", af));
205 again:
206 /*
207 * Craft SA index to search for proper SA. Note that
208 * we only fillin unspecified SA peers for transport
209 * mode; for tunnel mode they must already be filled in.
210 */
211 *saidx = isr->saidx;
212 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT) {
213 /* Fillin unspecified SA peers only for transport mode */
214 if (af == AF_INET) {
215 struct sockaddr_in *sin;
216 struct ip *ip = mtod(m, struct ip *);
217
218 if (saidx->src.sa.sa_len == 0) {
219 sin = &saidx->src.sin;
220 sin->sin_len = sizeof(*sin);
221 sin->sin_family = AF_INET;
222 sin->sin_port = IPSEC_PORT_ANY;
223 sin->sin_addr = ip->ip_src;
224 }
225 if (saidx->dst.sa.sa_len == 0) {
226 sin = &saidx->dst.sin;
227 sin->sin_len = sizeof(*sin);
228 sin->sin_family = AF_INET;
229 sin->sin_port = IPSEC_PORT_ANY;
230 sin->sin_addr = ip->ip_dst;
231 }
232 } else {
233 struct sockaddr_in6 *sin6;
234 struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
235
236 if (saidx->src.sin6.sin6_len == 0) {
237 sin6 = (struct sockaddr_in6 *)&saidx->src;
238 sin6->sin6_len = sizeof(*sin6);
239 sin6->sin6_family = AF_INET6;
240 sin6->sin6_port = IPSEC_PORT_ANY;
241 sin6->sin6_addr = ip6->ip6_src;
242 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
243 /* fix scope id for comparing SPD */
244 sin6->sin6_addr.s6_addr16[1] = 0;
245 sin6->sin6_scope_id =
246 ntohs(ip6->ip6_src.s6_addr16[1]);
247 }
248 }
249 if (saidx->dst.sin6.sin6_len == 0) {
250 sin6 = (struct sockaddr_in6 *)&saidx->dst;
251 sin6->sin6_len = sizeof(*sin6);
252 sin6->sin6_family = AF_INET6;
253 sin6->sin6_port = IPSEC_PORT_ANY;
254 sin6->sin6_addr = ip6->ip6_dst;
255 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
256 /* fix scope id for comparing SPD */
257 sin6->sin6_addr.s6_addr16[1] = 0;
258 sin6->sin6_scope_id =
259 ntohs(ip6->ip6_dst.s6_addr16[1]);
260 }
261 }
262 }
263 }
264
265 /*
266 * Lookup SA and validate it.
267 */
268 *error = key_checkrequest(isr, saidx);
269 if (*error != 0) {
270 /*
271 * IPsec processing is required, but no SA found.
272 * I assume that key_acquire() had been called
273 * to get/establish the SA. Here I discard
274 * this packet because it is responsibility for
275 * upper layer to retransmit the packet.
276 */
277 newipsecstat.ips_out_nosa++;
278 goto bad;
279 }
280 sav = isr->sav;
281 if (sav == NULL) { /* XXX valid return */
282 KASSERT(ipsec_get_reqlevel(isr) == IPSEC_LEVEL_USE,
283 ("ipsec_nextisr: no SA found, but required; level %u",
284 ipsec_get_reqlevel(isr)));
285 isr = isr->next;
286 if (isr == NULL) {
287 /*XXXstatistic??*/
288 *error = EINVAL; /*XXX*/
289 return isr;
290 }
291 goto again;
292 }
293
294 /*
295 * Check system global policy controls.
296 */
297 if ((isr->saidx.proto == IPPROTO_ESP && !esp_enable) ||
298 (isr->saidx.proto == IPPROTO_AH && !ah_enable) ||
299 (isr->saidx.proto == IPPROTO_IPCOMP && !ipcomp_enable)) {
300 DPRINTF(("ipsec_nextisr: IPsec outbound packet dropped due"
301 " to policy (check your sysctls)\n"));
302 IPSEC_OSTAT(espstat.esps_pdrops, ahstat.ahs_pdrops,
303 ipcompstat.ipcomps_pdrops);
304 *error = EHOSTUNREACH;
305 goto bad;
306 }
307
308 /*
309 * Sanity check the SA contents for the caller
310 * before they invoke the xform output method.
311 */
312 if (sav->tdb_xform == NULL) {
313 DPRINTF(("ipsec_nextisr: no transform for SA\n"));
314 IPSEC_OSTAT(espstat.esps_noxform, ahstat.ahs_noxform,
315 ipcompstat.ipcomps_noxform);
316 *error = EHOSTUNREACH;
317 goto bad;
318 }
319 return isr;
320 bad:
321 KASSERT(*error != 0, ("ipsec_nextisr: error return w/ no error code"));
322 return NULL;
323 #undef IPSEC_OSTAT
324 }
325
326 #ifdef INET
327 /*
328 * IPsec output logic for IPv4.
329 */
330 int
331 ipsec4_process_packet(
332 struct mbuf *m,
333 struct ipsecrequest *isr,
334 int flags,
335 int tunalready)
336 {
337 struct secasindex saidx;
338 struct secasvar *sav;
339 struct ip *ip;
340 int error, i, off;
341
342 KASSERT(m != NULL, ("ipsec4_process_packet: null mbuf"));
343 KASSERT(isr != NULL, ("ipsec4_process_packet: null isr"));
344
345 crit_enter();
346
347 isr = ipsec_nextisr(m, isr, AF_INET, &saidx, &error);
348 if (isr == NULL)
349 goto bad;
350
351 sav = isr->sav;
352 if (!tunalready) {
353 union sockaddr_union *dst = &sav->sah->saidx.dst;
354 int setdf;
355
356 /*
357 * Collect IP_DF state from the outer header.
358 */
359 if (dst->sa.sa_family == AF_INET) {
360 if (m->m_len < sizeof (struct ip) &&
361 (m = m_pullup(m, sizeof (struct ip))) == NULL) {
362 error = ENOBUFS;
363 goto bad;
364 }
365 ip = mtod(m, struct ip *);
366 /* Honor system-wide control of how to handle IP_DF */
367 switch (ip4_ipsec_dfbit) {
368 case 0: /* clear in outer header */
369 case 1: /* set in outer header */
370 setdf = ip4_ipsec_dfbit;
371 break;
372 default: /* propagate to outer header */
373 setdf = ntohs(ip->ip_off & IP_DF);
374 break;
375 }
376 } else {
377 ip = NULL; /* keep compiler happy */
378 setdf = 0;
379 }
380 /* Do the appropriate encapsulation, if necessary */
381 if (isr->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */
382 dst->sa.sa_family != AF_INET || /* PF mismatch */
383 #if 0
384 (sav->flags & SADB_X_SAFLAGS_TUNNEL) || /* Tunnel requ'd */
385 sav->tdb_xform->xf_type == XF_IP4 || /* ditto */
386 #endif
387 (dst->sa.sa_family == AF_INET && /* Proxy */
388 dst->sin.sin_addr.s_addr != INADDR_ANY &&
389 dst->sin.sin_addr.s_addr != ip->ip_dst.s_addr)) {
390 struct mbuf *mp;
391
392 /* Fix IPv4 header checksum and length */
393 if (m->m_len < sizeof (struct ip) &&
394 (m = m_pullup(m, sizeof (struct ip))) == NULL) {
395 error = ENOBUFS;
396 goto bad;
397 }
398 ip = mtod(m, struct ip *);
399 ip->ip_len = htons(m->m_pkthdr.len);
400 ip->ip_sum = 0;
401 #ifdef _IP_VHL
402 if (ip->ip_vhl == IP_VHL_BORING)
403 ip->ip_sum = in_cksum_hdr(ip);
404 else
405 ip->ip_sum = in_cksum(m,
406 _IP_VHL_HL(ip->ip_vhl) << 2);
407 #else
408 ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
409 #endif
410
411 /* Encapsulate the packet */
412 error = ipip_output(m, isr, &mp, 0, 0);
413 if (mp == NULL && !error) {
414 /* Should never happen. */
415 DPRINTF(("ipsec4_process_packet: ipip_output "
416 "returns no mbuf and no error!"));
417 error = EFAULT;
418 }
419 if (error) {
420 if (mp)
421 m_freem(mp);
422 goto bad;
423 }
424 m = mp, mp = NULL;
425 /*
426 * ipip_output clears IP_DF in the new header. If
427 * we need to propagate IP_DF from the outer header,
428 * then we have to do it here.
429 *
430 * XXX shouldn't assume what ipip_output does.
431 */
432 if (dst->sa.sa_family == AF_INET && setdf) {
433 if (m->m_len < sizeof (struct ip) &&
434 (m = m_pullup(m, sizeof (struct ip))) == NULL) {
435 error = ENOBUFS;
436 goto bad;
437 }
438 ip = mtod(m, struct ip *);
439 ip->ip_off = ntohs(ip->ip_off);
440 ip->ip_off |= IP_DF;
441 ip->ip_off = htons(ip->ip_off);
442 }
443 }
444 }
445
446 /*
447 * Dispatch to the appropriate IPsec transform logic. The
448 * packet will be returned for transmission after crypto
449 * processing, etc. are completed. For encapsulation we
450 * bypass this call because of the explicit call done above
451 * (necessary to deal with IP_DF handling for IPv4).
452 *
453 * NB: m & sav are ``passed to caller'' who's reponsible for
454 * for reclaiming their resources.
455 */
456 if (sav->tdb_xform->xf_type != XF_IP4) {
457 ip = mtod(m, struct ip *);
458 i = ip->ip_hl << 2;
459 off = offsetof(struct ip, ip_p);
460 error = (*sav->tdb_xform->xf_output)(m, isr, NULL, i, off);
461 } else {
462 error = ipsec_process_done(m, isr);
463 }
464 crit_exit();
465 return error;
466 bad:
467 crit_exit();
468 if (m)
469 m_freem(m);
470 return error;
471 }
472 #endif
473
474 #ifdef INET6
475 /*
476 * Chop IP6 header from the payload.
477 */
478 static struct mbuf *
479 ipsec6_splithdr(struct mbuf *m)
480 {
481 struct mbuf *mh;
482 struct ip6_hdr *ip6;
483 int hlen;
484
485 KASSERT(m->m_len >= sizeof (struct ip6_hdr),
486 ("ipsec6_splithdr: first mbuf too short, len %u", m->m_len));
487 ip6 = mtod(m, struct ip6_hdr *);
488 hlen = sizeof(struct ip6_hdr);
489 if (m->m_len > hlen) {
490 MGETHDR(mh, MB_DONTWAIT, MT_HEADER);
491 if (!mh) {
492 m_freem(m);
493 return NULL;
494 }
495 M_MOVE_PKTHDR(mh, m);
496 MH_ALIGN(mh, hlen);
497 m->m_len -= hlen;
498 m->m_data += hlen;
499 mh->m_next = m;
500 m = mh;
501 m->m_len = hlen;
502 bcopy((caddr_t)ip6, mtod(m, caddr_t), hlen);
503 } else if (m->m_len < hlen) {
504 m = m_pullup(m, hlen);
505 if (!m)
506 return NULL;
507 }
508 return m;
509 }
510
511 /*
512 * IPsec output logic for IPv6, transport mode.
513 */
514 int
515 ipsec6_output_trans(
516 struct ipsec_output_state *state,
517 u_char *nexthdrp,
518 struct mbuf *mprev,
519 struct secpolicy *sp,
520 int flags,
521 int *tun)
522 {
523 struct ipsecrequest *isr;
524 struct secasindex saidx;
525 int error = 0;
526 struct mbuf *m;
527
528 KASSERT(state != NULL, ("ipsec6_output: null state"));
529 KASSERT(state->m != NULL, ("ipsec6_output: null m"));
530 KASSERT(nexthdrp != NULL, ("ipsec6_output: null nexthdrp"));
531 KASSERT(mprev != NULL, ("ipsec6_output: null mprev"));
532 KASSERT(sp != NULL, ("ipsec6_output: null sp"));
533 KASSERT(tun != NULL, ("ipsec6_output: null tun"));
534
535 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
536 kprintf("ipsec6_output_trans: applyed SP\n");
537 kdebug_secpolicy(sp));
538
539 isr = sp->req;
540 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
541 /* the rest will be handled by ipsec6_output_tunnel() */
542 *tun = 1; /* need tunnel-mode processing */
543 return 0;
544 }
545
546 *tun = 0;
547 m = state->m;
548
549 isr = ipsec_nextisr(m, isr, AF_INET6, &saidx, &error);
550 if (isr == NULL) {
551 #ifdef notdef
552 /* XXX should notification be done for all errors ? */
553 /*
554 * Notify the fact that the packet is discarded
555 * to ourselves. I believe this is better than
556 * just silently discarding. (jinmei@kame.net)
557 * XXX: should we restrict the error to TCP packets?
558 * XXX: should we directly notify sockets via
559 * kpfctlinputs?
560 */
561 icmp6_error(m, ICMP6_DST_UNREACH,
562 ICMP6_DST_UNREACH_ADMIN, 0);
563 m = NULL; /* NB: icmp6_error frees mbuf */
564 #endif
565 goto bad;
566 }
567
568 return (*isr->sav->tdb_xform->xf_output)(m, isr, NULL,
569 sizeof (struct ip6_hdr),
570 offsetof(struct ip6_hdr, ip6_nxt));
571 bad:
572 if (m)
573 m_freem(m);
574 state->m = NULL;
575 return error;
576 }
577
578 static int
579 ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav)
580 {
581 struct ip6_hdr *oip6;
582 struct ip6_hdr *ip6;
583 size_t plen;
584
585 /* can't tunnel between different AFs */
586 if (sav->sah->saidx.src.sa.sa_family != AF_INET6 ||
587 sav->sah->saidx.dst.sa.sa_family != AF_INET6) {
588 m_freem(m);
589 return EINVAL;
590 }
591 KASSERT(m->m_len != sizeof (struct ip6_hdr),
592 ("ipsec6_encapsulate: mbuf wrong size; len %u", m->m_len));
593
594
595 /*
596 * grow the mbuf to accomodate the new IPv6 header.
597 */
598 plen = m->m_pkthdr.len;
599 if (M_LEADINGSPACE(m->m_next) < sizeof(struct ip6_hdr)) {
600 struct mbuf *n;
601 MGET(n, MB_DONTWAIT, MT_DATA);
602 if (!n) {
603 m_freem(m);
604 return ENOBUFS;
605 }
606 n->m_len = sizeof(struct ip6_hdr);
607 n->m_next = m->m_next;
608 m->m_next = n;
609 m->m_pkthdr.len += sizeof(struct ip6_hdr);
610 oip6 = mtod(n, struct ip6_hdr *);
611 } else {
612 m->m_next->m_len += sizeof(struct ip6_hdr);
613 m->m_next->m_data -= sizeof(struct ip6_hdr);
614 m->m_pkthdr.len += sizeof(struct ip6_hdr);
615 oip6 = mtod(m->m_next, struct ip6_hdr *);
616 }
617 ip6 = mtod(m, struct ip6_hdr *);
618 ovbcopy((caddr_t)ip6, (caddr_t)oip6, sizeof(struct ip6_hdr));
619
620 /* Fake link-local scope-class addresses */
621 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_src))
622 oip6->ip6_src.s6_addr16[1] = 0;
623 if (IN6_IS_SCOPE_LINKLOCAL(&oip6->ip6_dst))
624 oip6->ip6_dst.s6_addr16[1] = 0;
625
626 /* construct new IPv6 header. see RFC 2401 5.1.2.2 */
627 /* ECN consideration. */
628 ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow);
629 if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr))
630 ip6->ip6_plen = htons(plen);
631 else {
632 /* ip6->ip6_plen will be updated in ip6_output() */
633 }
634 ip6->ip6_nxt = IPPROTO_IPV6;
635 sav->sah->saidx.src.sin6.sin6_addr = ip6->ip6_src;
636 sav->sah->saidx.dst.sin6.sin6_addr = ip6->ip6_dst;
637 ip6->ip6_hlim = IPV6_DEFHLIM;
638
639 /* XXX Should ip6_src be updated later ? */
640
641 return 0;
642 }
643
644 /*
645 * IPsec output logic for IPv6, tunnel mode.
646 */
647 int
648 ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int flags)
649 {
650 struct ip6_hdr *ip6;
651 struct ipsecrequest *isr;
652 struct secasindex saidx;
653 int error;
654 struct sockaddr_in6* dst6;
655 struct mbuf *m;
656
657 KASSERT(state != NULL, ("ipsec6_output: null state"));
658 KASSERT(state->m != NULL, ("ipsec6_output: null m"));
659 KASSERT(sp != NULL, ("ipsec6_output: null sp"));
660
661 KEYDEBUG(KEYDEBUG_IPSEC_DATA,
662 kprintf("ipsec6_output_tunnel: applyed SP\n");
663 kdebug_secpolicy(sp));
664
665 m = state->m;
666 /*
667 * transport mode ipsec (before the 1st tunnel mode) is already
668 * processed by ipsec6_output_trans().
669 */
670 for (isr = sp->req; isr; isr = isr->next) {
671 if (isr->saidx.mode == IPSEC_MODE_TUNNEL)
672 break;
673 }
674 isr = ipsec_nextisr(m, isr, AF_INET6, &saidx, &error);
675 if (isr == NULL)
676 goto bad;
677
678 /*
679 * There may be the case that SA status will be changed when
680 * we are refering to one. So calling splsoftnet().
681 */
682 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) {
683 /*
684 * build IPsec tunnel.
685 */
686 /* XXX should be processed with other familiy */
687 if (isr->sav->sah->saidx.src.sa.sa_family != AF_INET6) {
688 ipseclog((LOG_ERR, "ipsec6_output_tunnel: "
689 "family mismatched between inner and outer, spi=%u\n",
690 ntohl(isr->sav->spi)));
691 newipsecstat.ips_out_inval++;
692 error = EAFNOSUPPORT;
693 goto bad;
694 }
695
696 m = ipsec6_splithdr(m);
697 if (!m) {
698 newipsecstat.ips_out_nomem++;
699 error = ENOMEM;
700 goto bad;
701 }
702 error = ipsec6_encapsulate(m, isr->sav);
703 if (error) {
704 m = NULL;
705 goto bad;
706 }
707 ip6 = mtod(m, struct ip6_hdr *);
708
709 state->ro = &isr->sav->sah->sa_route;
710 state->dst = (struct sockaddr *)&state->ro->ro_dst;
711 dst6 = (struct sockaddr_in6 *)state->dst;
712 if (state->ro->ro_rt
713 && ((state->ro->ro_rt->rt_flags & RTF_UP) == 0
714 || !IN6_ARE_ADDR_EQUAL(&dst6->sin6_addr, &ip6->ip6_dst))) {
715 RTFREE(state->ro->ro_rt);
716 state->ro->ro_rt = NULL;
717 }
718 if (state->ro->ro_rt == 0) {
719 bzero(dst6, sizeof(*dst6));
720 dst6->sin6_family = AF_INET6;
721 dst6->sin6_len = sizeof(*dst6);
722 dst6->sin6_addr = ip6->ip6_dst;
723 rtalloc(state->ro);
724 }
725 if (state->ro->ro_rt == 0) {
726 ip6stat.ip6s_noroute++;
727 newipsecstat.ips_out_noroute++;
728 error = EHOSTUNREACH;
729 goto bad;
730 }
731
732 /* adjust state->dst if tunnel endpoint is offlink */
733 if (state->ro->ro_rt->rt_flags & RTF_GATEWAY) {
734 state->dst = (struct sockaddr *)state->ro->ro_rt->rt_gateway;
735 dst6 = (struct sockaddr_in6 *)state->dst;
736 }
737 }
738
739 m = ipsec6_splithdr(m);
740 if (!m) {
741 newipsecstat.ips_out_nomem++;
742 error = ENOMEM;
743 goto bad;
744 }
745 ip6 = mtod(m, struct ip6_hdr *);
746 return (*isr->sav->tdb_xform->xf_output)(m, isr, NULL,
747 sizeof (struct ip6_hdr),
748 offsetof(struct ip6_hdr, ip6_nxt));
749 bad:
750 if (m)
751 m_freem(m);
752 state->m = NULL;
753 return error;
754 }
755 #endif /*INET6*/
DragonFly BSD