ipsec_input.c revision 1.3
1 /* $NetBSD: ipsec_input.c,v 1.3 2003/08/15 17:14:31 jonathan Exp $ */ 2 /* $FreeBSD: src/sys/netipsec/ipsec_input.c,v 1.2.4.1 2003/01/24 05:11:35 sam Exp $ */ 3 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ 4 5 #include <sys/cdefs.h> 6 __KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.3 2003/08/15 17:14:31 jonathan Exp $"); 7 8 /* 9 * IPsec input processing. 10 */ 11 12 #include "opt_inet.h" 13 #include "opt_inet6.h" 14 #include "opt_ipsec.h" 15 16 #include <sys/param.h> 17 #include <sys/systm.h> 18 #include <sys/malloc.h> 19 #include <sys/mbuf.h> 20 #include <sys/domain.h> 21 #include <sys/protosw.h> 22 #include <sys/socket.h> 23 #include <sys/errno.h> 24 #include <sys/syslog.h> 25 26 #include <net/if.h> 27 #include <net/route.h> 28 #include <net/netisr.h> 29 30 #include <netinet/in.h> 31 #include <netinet/in_systm.h> 32 #include <netinet/ip.h> 33 #include <netinet/ip_var.h> 34 #include <netinet/in_var.h> 35 36 #include <netinet/ip6.h> 37 #ifdef INET6 38 #include <netinet6/ip6_var.h> 39 #endif 40 #include <netinet/in_pcb.h> 41 #ifdef INET6 42 #include <netinet/icmp6.h> 43 #endif 44 45 #include <netipsec/ipsec.h> 46 #ifdef INET6 47 #include <netipsec/ipsec6.h> 48 #endif 49 #include <netipsec/ah_var.h> 50 #include <netipsec/esp.h> 51 #include <netipsec/esp_var.h> 52 #include <netipsec/ipcomp_var.h> 53 54 #include <netipsec/key.h> 55 #include <netipsec/keydb.h> 56 57 #include <netipsec/xform.h> 58 #include <netinet6/ip6protosw.h> 59 60 #include <netipsec/ipsec_osdep.h> 61 62 #include <machine/stdarg.h> 63 64 #include <net/net_osdep.h> 65 66 #define IPSEC_ISTAT(p,x,y,z) ((p) == IPPROTO_ESP ? (x)++ : \ 67 (p) == IPPROTO_AH ? (y)++ : (z)++) 68 69 /* 70 * ipsec_common_input gets called when an IPsec-protected packet 71 * is received by IPv4 or IPv6. It's job is to find the right SA 72 # and call the appropriate transform. The transform callback 73 * takes care of further processing (like ingress filtering). 74 */ 75 static int 76 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) 77 { 78 union sockaddr_union dst_address; 79 struct secasvar *sav; 80 u_int32_t spi; 81 int s, error; 82 83 IPSEC_ISTAT(sproto, espstat.esps_input, ahstat.ahs_input, 84 ipcompstat.ipcomps_input); 85 86 IPSEC_ASSERT(m != NULL, ("ipsec_common_input: null packet")); 87 88 if ((sproto == IPPROTO_ESP && !esp_enable) || 89 (sproto == IPPROTO_AH && !ah_enable) || 90 (sproto == IPPROTO_IPCOMP && !ipcomp_enable)) { 91 m_freem(m); 92 IPSEC_ISTAT(sproto, espstat.esps_pdrops, ahstat.ahs_pdrops, 93 ipcompstat.ipcomps_pdrops); 94 return EOPNOTSUPP; 95 } 96 97 if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) { 98 m_freem(m); 99 IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops, 100 ipcompstat.ipcomps_hdrops); 101 DPRINTF(("ipsec_common_input: packet too small\n")); 102 return EINVAL; 103 } 104 105 /* Retrieve the SPI from the relevant IPsec header */ 106 if (sproto == IPPROTO_ESP) 107 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi); 108 else if (sproto == IPPROTO_AH) 109 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 110 (caddr_t) &spi); 111 else if (sproto == IPPROTO_IPCOMP) { 112 u_int16_t cpi; 113 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t), 114 (caddr_t) &cpi); 115 spi = ntohl(htons(cpi)); 116 } 117 118 /* 119 * Find the SA and (indirectly) call the appropriate 120 * kernel crypto routine. The resulting mbuf chain is a valid 121 * IP packet ready to go through input processing. 122 */ 123 bzero(&dst_address, sizeof (dst_address)); 124 dst_address.sa.sa_family = af; 125 switch (af) { 126 #ifdef INET 127 case AF_INET: 128 dst_address.sin.sin_len = sizeof(struct sockaddr_in); 129 m_copydata(m, offsetof(struct ip, ip_dst), 130 sizeof(struct in_addr), 131 (caddr_t) &dst_address.sin.sin_addr); 132 break; 133 #endif /* INET */ 134 #ifdef INET6 135 case AF_INET6: 136 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6); 137 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 138 sizeof(struct in6_addr), 139 (caddr_t) &dst_address.sin6.sin6_addr); 140 break; 141 #endif /* INET6 */ 142 default: 143 DPRINTF(("ipsec_common_input: unsupported protocol " 144 "family %u\n", af)); 145 m_freem(m); 146 IPSEC_ISTAT(sproto, espstat.esps_nopf, ahstat.ahs_nopf, 147 ipcompstat.ipcomps_nopf); 148 return EPFNOSUPPORT; 149 } 150 151 s = splsoftnet(); 152 153 /* NB: only pass dst since key_allocsa follows RFC2401 */ 154 sav = KEY_ALLOCSA(&dst_address, sproto, spi); 155 if (sav == NULL) { 156 DPRINTF(("ipsec_common_input: no key association found for" 157 " SA %s/%08lx/%u\n", 158 ipsec_address(&dst_address), 159 (u_long) ntohl(spi), sproto)); 160 IPSEC_ISTAT(sproto, espstat.esps_notdb, ahstat.ahs_notdb, 161 ipcompstat.ipcomps_notdb); 162 splx(s); 163 m_freem(m); 164 return ENOENT; 165 } 166 167 if (sav->tdb_xform == NULL) { 168 DPRINTF(("ipsec_common_input: attempted to use uninitialized" 169 " SA %s/%08lx/%u\n", 170 ipsec_address(&dst_address), 171 (u_long) ntohl(spi), sproto)); 172 IPSEC_ISTAT(sproto, espstat.esps_noxform, ahstat.ahs_noxform, 173 ipcompstat.ipcomps_noxform); 174 KEY_FREESAV(&sav); 175 splx(s); 176 m_freem(m); 177 return ENXIO; 178 } 179 180 /* 181 * Call appropriate transform and return -- callback takes care of 182 * everything else. 183 */ 184 error = (*sav->tdb_xform->xf_input)(m, sav, skip, protoff); 185 KEY_FREESAV(&sav); 186 splx(s); 187 return error; 188 } 189 190 #ifdef INET 191 /* 192 * Common input handler for IPv4 AH, ESP, and IPCOMP. 193 */ 194 void 195 ipsec4_common_input(struct mbuf *m, ...) 196 { 197 va_list ap; 198 int off, nxt; 199 200 va_start(ap, m); 201 off = va_arg(ap, int); 202 nxt = va_arg(ap, int); 203 va_end(ap); 204 205 (void) ipsec_common_input(m, off, offsetof(struct ip, ip_p), 206 AF_INET, nxt); 207 } 208 209 /* 210 * IPsec input callback for INET protocols. 211 * This routine is called as the transform callback. 212 * Takes care of filtering and other sanity checks on 213 * the processed packet. 214 */ 215 int 216 ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, 217 int skip, int protoff, struct m_tag *mt) 218 { 219 int prot, af, sproto; 220 struct ip *ip; 221 struct m_tag *mtag; 222 struct tdb_ident *tdbi; 223 struct secasindex *saidx; 224 int error; 225 226 IPSEC_SPLASSERT_SOFTNET("ipsec4_common_input_cb"); 227 228 IPSEC_ASSERT(m != NULL, ("ipsec4_common_input_cb: null mbuf")); 229 IPSEC_ASSERT(sav != NULL, ("ipsec4_common_input_cb: null SA")); 230 IPSEC_ASSERT(sav->sah != NULL, ("ipsec4_common_input_cb: null SAH")); 231 saidx = &sav->sah->saidx; 232 af = saidx->dst.sa.sa_family; 233 IPSEC_ASSERT(af == AF_INET, ("ipsec4_common_input_cb: unexpected af %u",af)); 234 sproto = saidx->proto; 235 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 236 sproto == IPPROTO_IPCOMP, 237 ("ipsec4_common_input_cb: unexpected security protocol %u", 238 sproto)); 239 240 /* Sanity check */ 241 if (m == NULL) { 242 DPRINTF(("ipsec4_common_input_cb: null mbuf")); 243 IPSEC_ISTAT(sproto, espstat.esps_badkcr, ahstat.ahs_badkcr, 244 ipcompstat.ipcomps_badkcr); 245 KEY_FREESAV(&sav); 246 return EINVAL; 247 } 248 249 if (skip != 0) { 250 /* Fix IPv4 header */ 251 if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) { 252 DPRINTF(("ipsec4_common_input_cb: processing failed " 253 "for SA %s/%08lx\n", 254 ipsec_address(&sav->sah->saidx.dst), 255 (u_long) ntohl(sav->spi))); 256 IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops, 257 ipcompstat.ipcomps_hdrops); 258 error = ENOBUFS; 259 goto bad; 260 } 261 262 ip = mtod(m, struct ip *); 263 ip->ip_len = htons(m->m_pkthdr.len); 264 #ifdef __FreeBSD__ 265 /* On FreeBSD, ip_off and ip_len assumed in host endian. */ 266 ip->ip_off = htons(ip->ip_off); 267 #endif 268 ip->ip_sum = 0; 269 ip->ip_sum = in_cksum(m, ip->ip_hl << 2); 270 } else { 271 ip = mtod(m, struct ip *); 272 } 273 prot = ip->ip_p; 274 275 /* IP-in-IP encapsulation */ 276 if (prot == IPPROTO_IPIP) { 277 struct ip ipn; 278 279 /* ipn will now contain the inner IPv4 header */ 280 m_copydata(m, ip->ip_hl << 2, sizeof(struct ip), 281 (caddr_t) &ipn); 282 283 #ifdef notyet 284 /* XXX PROXY address isn't recorded in SAH */ 285 /* 286 * Check that the inner source address is the same as 287 * the proxy address, if available. 288 */ 289 if ((saidx->proxy.sa.sa_family == AF_INET && 290 saidx->proxy.sin.sin_addr.s_addr != 291 INADDR_ANY && 292 ipn.ip_src.s_addr != 293 saidx->proxy.sin.sin_addr.s_addr) || 294 (saidx->proxy.sa.sa_family != AF_INET && 295 saidx->proxy.sa.sa_family != 0)) { 296 297 DPRINTF(("ipsec4_common_input_cb: inner " 298 "source address %s doesn't correspond to " 299 "expected proxy source %s, SA %s/%08lx\n", 300 inet_ntoa4(ipn.ip_src), 301 ipsp_address(saidx->proxy), 302 ipsp_address(saidx->dst), 303 (u_long) ntohl(sav->spi))); 304 305 IPSEC_ISTAT(sproto, espstat.esps_pdrops, 306 ahstat.ahs_pdrops, 307 ipcompstat.ipcomps_pdrops); 308 error = EACCES; 309 goto bad; 310 } 311 #endif /*XXX*/ 312 } 313 #if INET6 314 /* IPv6-in-IP encapsulation. */ 315 if (prot == IPPROTO_IPV6) { 316 struct ip6_hdr ip6n; 317 318 /* ip6n will now contain the inner IPv6 header. */ 319 m_copydata(m, ip->ip_hl << 2, sizeof(struct ip6_hdr), 320 (caddr_t) &ip6n); 321 322 #ifdef notyet 323 /* 324 * Check that the inner source address is the same as 325 * the proxy address, if available. 326 */ 327 if ((saidx->proxy.sa.sa_family == AF_INET6 && 328 !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) && 329 !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src, 330 &saidx->proxy.sin6.sin6_addr)) || 331 (saidx->proxy.sa.sa_family != AF_INET6 && 332 saidx->proxy.sa.sa_family != 0)) { 333 334 DPRINTF(("ipsec4_common_input_cb: inner " 335 "source address %s doesn't correspond to " 336 "expected proxy source %s, SA %s/%08lx\n", 337 ip6_sprintf(&ip6n.ip6_src), 338 ipsec_address(&saidx->proxy), 339 ipsec_address(&saidx->dst), 340 (u_long) ntohl(sav->spi))); 341 342 IPSEC_ISTAT(sproto, espstat.esps_pdrops, 343 ahstat.ahs_pdrops, 344 ipcompstat.ipcomps_pdrops); 345 error = EACCES; 346 goto bad; 347 } 348 #endif /*XXX*/ 349 } 350 #endif /* INET6 */ 351 352 /* 353 * Record what we've done to the packet (under what SA it was 354 * processed). If we've been passed an mtag, it means the packet 355 * was already processed by an ethernet/crypto combo card and 356 * thus has a tag attached with all the right information, but 357 * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to 358 * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type. 359 */ 360 if (mt == NULL && sproto != IPPROTO_IPCOMP) { 361 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 362 sizeof(struct tdb_ident), M_NOWAIT); 363 if (mtag == NULL) { 364 DPRINTF(("ipsec4_common_input_cb: failed to get tag\n")); 365 IPSEC_ISTAT(sproto, espstat.esps_hdrops, 366 ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); 367 error = ENOMEM; 368 goto bad; 369 } 370 371 tdbi = (struct tdb_ident *)(mtag + 1); 372 bcopy(&saidx->dst, &tdbi->dst, saidx->dst.sa.sa_len); 373 tdbi->proto = sproto; 374 tdbi->spi = sav->spi; 375 376 m_tag_prepend(m, mtag); 377 } else { 378 mt->m_tag_id = PACKET_TAG_IPSEC_IN_DONE; 379 /* XXX do we need to mark m_flags??? */ 380 } 381 382 key_sa_recordxfer(sav, m); /* record data transfer */ 383 384 /* 385 * Re-dispatch via software interrupt. 386 */ 387 if (!IF_HANDOFF(&ipintrq, m, NULL)) { 388 IPSEC_ISTAT(sproto, espstat.esps_qfull, ahstat.ahs_qfull, 389 ipcompstat.ipcomps_qfull); 390 391 DPRINTF(("ipsec4_common_input_cb: queue full; " 392 "proto %u packet dropped\n", sproto)); 393 return ENOBUFS; 394 } 395 schednetisr(NETISR_IP); 396 return 0; 397 bad: 398 m_freem(m); 399 return error; 400 } 401 #endif /* INET */ 402 403 #ifdef INET6 404 /* IPv6 AH wrapper. */ 405 int 406 ipsec6_common_input(struct mbuf **mp, int *offp, int proto) 407 { 408 int l = 0; 409 int protoff; 410 struct ip6_ext ip6e; 411 412 if (*offp < sizeof(struct ip6_hdr)) { 413 DPRINTF(("ipsec6_common_input: bad offset %u\n", *offp)); 414 return IPPROTO_DONE; 415 } else if (*offp == sizeof(struct ip6_hdr)) { 416 protoff = offsetof(struct ip6_hdr, ip6_nxt); 417 } else { 418 /* Chase down the header chain... */ 419 protoff = sizeof(struct ip6_hdr); 420 421 do { 422 protoff += l; 423 m_copydata(*mp, protoff, sizeof(ip6e), 424 (caddr_t) &ip6e); 425 426 if (ip6e.ip6e_nxt == IPPROTO_AH) 427 l = (ip6e.ip6e_len + 2) << 2; 428 else 429 l = (ip6e.ip6e_len + 1) << 3; 430 IPSEC_ASSERT(l > 0, ("ah6_input: l went zero or negative")); 431 } while (protoff + l < *offp); 432 433 /* Malformed packet check */ 434 if (protoff + l != *offp) { 435 DPRINTF(("ipsec6_common_input: bad packet header chain, " 436 "protoff %u, l %u, off %u\n", protoff, l, *offp)); 437 IPSEC_ISTAT(proto, espstat.esps_hdrops, 438 ahstat.ahs_hdrops, 439 ipcompstat.ipcomps_hdrops); 440 m_freem(*mp); 441 *mp = NULL; 442 return IPPROTO_DONE; 443 } 444 protoff += offsetof(struct ip6_ext, ip6e_nxt); 445 } 446 (void) ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto); 447 return IPPROTO_DONE; 448 } 449 450 void 451 esp6_ctlinput(int cmd, struct sockaddr *sa, void *d) 452 { 453 if (sa->sa_family != AF_INET6 || 454 sa->sa_len != sizeof(struct sockaddr_in6)) 455 return; 456 if ((unsigned)cmd >= PRC_NCMDS) 457 return; 458 459 /* if the parameter is from icmp6, decode it. */ 460 if (d != NULL) { 461 struct ip6ctlparam *ip6cp = (struct ip6ctlparam *)d; 462 struct mbuf *m = ip6cp->ip6c_m; 463 int off = ip6cp->ip6c_off; 464 465 struct ip6ctlparam ip6cp1; 466 467 /* 468 * Notify the error to all possible sockets via pfctlinput2. 469 * Since the upper layer information (such as protocol type, 470 * source and destination ports) is embedded in the encrypted 471 * data and might have been cut, we can't directly call 472 * an upper layer ctlinput function. However, the pcbnotify 473 * function will consider source and destination addresses 474 * as well as the flow info value, and may be able to find 475 * some PCB that should be notified. 476 * Although pfctlinput2 will call esp6_ctlinput(), there is 477 * no possibility of an infinite loop of function calls, 478 * because we don't pass the inner IPv6 header. 479 */ 480 bzero(&ip6cp1, sizeof(ip6cp1)); 481 ip6cp1.ip6c_src = ip6cp->ip6c_src; 482 pfctlinput2(cmd, sa, (void *)&ip6cp1); 483 484 /* 485 * Then go to special cases that need ESP header information. 486 * XXX: We assume that when ip6 is non NULL, 487 * M and OFF are valid. 488 */ 489 490 if (cmd == PRC_MSGSIZE) { 491 struct secasvar *sav; 492 u_int32_t spi; 493 int valid; 494 495 /* check header length before using m_copydata */ 496 if (m->m_pkthdr.len < off + sizeof (struct esp)) 497 return; 498 m_copydata(m, off + offsetof(struct esp, esp_spi), 499 sizeof(u_int32_t), (caddr_t) &spi); 500 /* 501 * Check to see if we have a valid SA corresponding to 502 * the address in the ICMP message payload. 503 */ 504 sav = KEY_ALLOCSA((union sockaddr_union *)sa, 505 IPPROTO_ESP, spi); 506 valid = (sav != NULL); 507 if (sav) 508 KEY_FREESAV(&sav); 509 510 /* XXX Further validation? */ 511 512 /* 513 * Depending on whether the SA is "valid" and 514 * routing table size (mtudisc_{hi,lo}wat), we will: 515 * - recalcurate the new MTU and create the 516 * corresponding routing entry, or 517 * - ignore the MTU change notification. 518 */ 519 icmp6_mtudisc_update(ip6cp, valid); 520 } 521 } else { 522 /* we normally notify any pcb here */ 523 } 524 } 525 526 extern struct ip6protosw inet6sw[]; 527 extern u_char ip6_protox[]; 528 529 /* 530 * IPsec input callback, called by the transform callback. Takes care of 531 * filtering and other sanity checks on the processed packet. 532 */ 533 int 534 ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff, 535 struct m_tag *mt) 536 { 537 int prot, af, sproto; 538 struct ip6_hdr *ip6; 539 struct m_tag *mtag; 540 struct tdb_ident *tdbi; 541 struct secasindex *saidx; 542 int nxt; 543 u_int8_t nxt8; 544 int error, nest; 545 546 IPSEC_ASSERT(m != NULL, ("ipsec6_common_input_cb: null mbuf")); 547 IPSEC_ASSERT(sav != NULL, ("ipsec6_common_input_cb: null SA")); 548 IPSEC_ASSERT(sav->sah != NULL, ("ipsec6_common_input_cb: null SAH")); 549 saidx = &sav->sah->saidx; 550 af = saidx->dst.sa.sa_family; 551 IPSEC_ASSERT(af == AF_INET6, 552 ("ipsec6_common_input_cb: unexpected af %u", af)); 553 sproto = saidx->proto; 554 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 555 sproto == IPPROTO_IPCOMP, 556 ("ipsec6_common_input_cb: unexpected security protocol %u", 557 sproto)); 558 559 /* Sanity check */ 560 if (m == NULL) { 561 DPRINTF(("ipsec4_common_input_cb: null mbuf")); 562 IPSEC_ISTAT(sproto, espstat.esps_badkcr, ahstat.ahs_badkcr, 563 ipcompstat.ipcomps_badkcr); 564 error = EINVAL; 565 goto bad; 566 } 567 568 /* Fix IPv6 header */ 569 if (m->m_len < sizeof(struct ip6_hdr) && 570 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 571 572 DPRINTF(("ipsec_common_input_cb: processing failed " 573 "for SA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst), 574 (u_long) ntohl(sav->spi))); 575 576 IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops, 577 ipcompstat.ipcomps_hdrops); 578 error = EACCES; 579 goto bad; 580 } 581 582 ip6 = mtod(m, struct ip6_hdr *); 583 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr)); 584 585 /* Save protocol */ 586 m_copydata(m, protoff, 1, (unsigned char *) &prot); 587 588 #ifdef INET 589 /* IP-in-IP encapsulation */ 590 if (prot == IPPROTO_IPIP) { 591 struct ip ipn; 592 593 /* ipn will now contain the inner IPv4 header */ 594 m_copydata(m, skip, sizeof(struct ip), (caddr_t) &ipn); 595 596 #ifdef notyet 597 /* 598 * Check that the inner source address is the same as 599 * the proxy address, if available. 600 */ 601 if ((saidx->proxy.sa.sa_family == AF_INET && 602 saidx->proxy.sin.sin_addr.s_addr != INADDR_ANY && 603 ipn.ip_src.s_addr != saidx->proxy.sin.sin_addr.s_addr) || 604 (saidx->proxy.sa.sa_family != AF_INET && 605 saidx->proxy.sa.sa_family != 0)) { 606 607 DPRINTF(("ipsec_common_input_cb: inner " 608 "source address %s doesn't correspond to " 609 "expected proxy source %s, SA %s/%08lx\n", 610 inet_ntoa4(ipn.ip_src), 611 ipsec_address(&saidx->proxy), 612 ipsec_address(&saidx->dst), 613 (u_long) ntohl(sav->spi))); 614 615 IPSEC_ISTATsproto, (espstat.esps_pdrops, 616 ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops); 617 error = EACCES; 618 goto bad; 619 } 620 #endif /*XXX*/ 621 } 622 #endif /* INET */ 623 624 /* IPv6-in-IP encapsulation */ 625 if (prot == IPPROTO_IPV6) { 626 struct ip6_hdr ip6n; 627 628 /* ip6n will now contain the inner IPv6 header. */ 629 m_copydata(m, skip, sizeof(struct ip6_hdr), 630 (caddr_t) &ip6n); 631 632 #ifdef notyet 633 /* 634 * Check that the inner source address is the same as 635 * the proxy address, if available. 636 */ 637 if ((saidx->proxy.sa.sa_family == AF_INET6 && 638 !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) && 639 !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src, 640 &saidx->proxy.sin6.sin6_addr)) || 641 (saidx->proxy.sa.sa_family != AF_INET6 && 642 saidx->proxy.sa.sa_family != 0)) { 643 644 DPRINTF(("ipsec_common_input_cb: inner " 645 "source address %s doesn't correspond to " 646 "expected proxy source %s, SA %s/%08lx\n", 647 ip6_sprintf(&ip6n.ip6_src), 648 ipsec_address(&saidx->proxy), 649 ipsec_address(&saidx->dst), 650 (u_long) ntohl(sav->spi))); 651 652 IPSEC_ISTAT(sproto, espstat.esps_pdrops, 653 ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops); 654 error = EACCES; 655 goto bad; 656 } 657 #endif /*XXX*/ 658 } 659 660 /* 661 * Record what we've done to the packet (under what SA it was 662 * processed). If we've been passed an mtag, it means the packet 663 * was already processed by an ethernet/crypto combo card and 664 * thus has a tag attached with all the right information, but 665 * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to 666 * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type. 667 */ 668 if (mt == NULL && sproto != IPPROTO_IPCOMP) { 669 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 670 sizeof(struct tdb_ident), M_NOWAIT); 671 if (mtag == NULL) { 672 DPRINTF(("ipsec_common_input_cb: failed to " 673 "get tag\n")); 674 IPSEC_ISTAT(sproto, espstat.esps_hdrops, 675 ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); 676 error = ENOMEM; 677 goto bad; 678 } 679 680 tdbi = (struct tdb_ident *)(mtag + 1); 681 bcopy(&saidx->dst, &tdbi->dst, sizeof(union sockaddr_union)); 682 tdbi->proto = sproto; 683 tdbi->spi = sav->spi; 684 685 m_tag_prepend(m, mtag); 686 } else { 687 mt->m_tag_id = PACKET_TAG_IPSEC_IN_DONE; 688 /* XXX do we need to mark m_flags??? */ 689 } 690 691 key_sa_recordxfer(sav, m); 692 693 /* Retrieve new protocol */ 694 m_copydata(m, protoff, sizeof(u_int8_t), (caddr_t) &nxt8); 695 696 /* 697 * See the end of ip6_input for this logic. 698 * IPPROTO_IPV[46] case will be processed just like other ones 699 */ 700 nest = 0; 701 nxt = nxt8; 702 while (nxt != IPPROTO_DONE) { 703 if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) { 704 ip6stat.ip6s_toomanyhdr++; 705 error = EINVAL; 706 goto bad; 707 } 708 709 /* 710 * Protection against faulty packet - there should be 711 * more sanity checks in header chain processing. 712 */ 713 if (m->m_pkthdr.len < skip) { 714 ip6stat.ip6s_tooshort++; 715 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 716 error = EINVAL; 717 goto bad; 718 } 719 /* 720 * Enforce IPsec policy checking if we are seeing last header. 721 * note that we do not visit this with protocols with pcb layer 722 * code - like udp/tcp/raw ip. 723 */ 724 if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && 725 ipsec6_in_reject(m, NULL)) { 726 error = EINVAL; 727 goto bad; 728 } 729 nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &skip, nxt); 730 } 731 return 0; 732 bad: 733 if (m) 734 m_freem(m); 735 return error; 736 } 737 #endif /* INET6 */ 738
Indexes created Thu Sep 25 16:09:42 GMT 2025