1 /* $OpenBSD: ipsec_input.c,v 1.173 2020/09/01 01:53:34 gnezdo Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 8 * in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001, Angelos D. Keromytis. 21 * 22 * Permission to use, copy, and modify this software with or without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38 #include "pf.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/protosw.h> 43 #include <sys/mbuf.h> 44 #include <sys/socket.h> 45 #include <sys/sysctl.h> 46 #include <sys/kernel.h> 47 #include <sys/timeout.h> 48 49 #include <net/if.h> 50 #include <net/if_var.h> 51 #include <net/netisr.h> 52 #include <net/bpf.h> 53 #include <net/route.h> 54 55 #include <netinet/in.h> 56 #include <netinet/ip.h> 57 #include <netinet/ip_var.h> 58 #include <netinet/ip_icmp.h> 59 #include <netinet/tcp.h> 60 #include <netinet/udp.h> 61 62 #if NPF > 0 63 #include <net/pfvar.h> 64 #endif 65 66 #ifdef INET6 67 #include <netinet6/in6_var.h> 68 #include <netinet/ip6.h> 69 #include <netinet6/ip6_var.h> 70 #include <netinet6/ip6protosw.h> 71 #endif /* INET6 */ 72 73 #include <netinet/ip_ipsp.h> 74 #include <netinet/ip_esp.h> 75 #include <netinet/ip_ah.h> 76 #include <netinet/ip_ipcomp.h> 77 78 #include <net/if_enc.h> 79 80 #include <crypto/cryptodev.h> 81 #include <crypto/xform.h> 82 83 #include "bpfilter.h" 84 85 void ipsec_common_ctlinput(u_int, int, struct sockaddr *, void *, int); 86 87 #ifdef ENCDEBUG 88 #define DPRINTF(x) if (encdebug) printf x 89 #else 90 #define DPRINTF(x) 91 #endif 92 93 /* sysctl variables */ 94 int encdebug = 0; 95 int ipsec_keep_invalid = IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT; 96 int ipsec_require_pfs = IPSEC_DEFAULT_PFS; 97 int ipsec_soft_allocations = IPSEC_DEFAULT_SOFT_ALLOCATIONS; 98 int ipsec_exp_allocations = IPSEC_DEFAULT_EXP_ALLOCATIONS; 99 int ipsec_soft_bytes = IPSEC_DEFAULT_SOFT_BYTES; 100 int ipsec_exp_bytes = IPSEC_DEFAULT_EXP_BYTES; 101 int ipsec_soft_timeout = IPSEC_DEFAULT_SOFT_TIMEOUT; 102 int ipsec_exp_timeout = IPSEC_DEFAULT_EXP_TIMEOUT; 103 int ipsec_soft_first_use = IPSEC_DEFAULT_SOFT_FIRST_USE; 104 int ipsec_exp_first_use = IPSEC_DEFAULT_EXP_FIRST_USE; 105 int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE; 106 107 int esp_enable = 1; 108 int ah_enable = 1; 109 int ipcomp_enable = 0; 110 111 const struct sysctl_bounded_args espctl_vars[] = { 112 {ESPCTL_ENABLE, &esp_enable, 0, 1}, 113 {ESPCTL_UDPENCAP_ENABLE, &udpencap_enable, 0, 1}, 114 {ESPCTL_UDPENCAP_PORT, &udpencap_port, 0, 65535}, 115 }; 116 const struct sysctl_bounded_args ahctl_vars[] = { 117 {AHCTL_ENABLE, &ah_enable, 0, 1}, 118 }; 119 const struct sysctl_bounded_args ipcompctl_vars[] = { 120 {IPCOMPCTL_ENABLE, &ipcomp_enable, 0, 1}, 121 }; 122 123 struct cpumem *espcounters; 124 struct cpumem *ahcounters; 125 struct cpumem *ipcompcounters; 126 struct cpumem *ipseccounters; 127 128 char ipsec_def_enc[20]; 129 char ipsec_def_auth[20]; 130 char ipsec_def_comp[20]; 131 132 const struct sysctl_bounded_args ipsecctl_vars[] = { 133 { IPSEC_ENCDEBUG, &encdebug, 0, 1 }, 134 { IPSEC_EXPIRE_ACQUIRE, &ipsec_expire_acquire, 0, INT_MAX }, 135 { IPSEC_EMBRYONIC_SA_TIMEOUT, &ipsec_keep_invalid, 0, INT_MAX }, 136 { IPSEC_REQUIRE_PFS, &ipsec_require_pfs, 0, 1 }, 137 { IPSEC_SOFT_ALLOCATIONS, &ipsec_soft_allocations, 0, INT_MAX }, 138 { IPSEC_ALLOCATIONS, &ipsec_exp_allocations, 0, INT_MAX }, 139 { IPSEC_SOFT_BYTES, &ipsec_soft_bytes, 0, INT_MAX }, 140 { IPSEC_BYTES, &ipsec_exp_bytes, 0, INT_MAX }, 141 { IPSEC_TIMEOUT, &ipsec_exp_timeout, 0, INT_MAX }, 142 { IPSEC_SOFT_TIMEOUT, &ipsec_soft_timeout,0, INT_MAX }, 143 { IPSEC_SOFT_FIRSTUSE, &ipsec_soft_first_use, 0, INT_MAX }, 144 { IPSEC_FIRSTUSE, &ipsec_exp_first_use, 0, INT_MAX }, 145 }; 146 147 int esp_sysctl_espstat(void *, size_t *, void *); 148 int ah_sysctl_ahstat(void *, size_t *, void *); 149 int ipcomp_sysctl_ipcompstat(void *, size_t *, void *); 150 int ipsec_sysctl_ipsecstat(void *, size_t *, void *); 151 152 void 153 ipsec_init(void) 154 { 155 espcounters = counters_alloc(esps_ncounters); 156 ahcounters = counters_alloc(ahs_ncounters); 157 ipcompcounters = counters_alloc(ipcomps_ncounters); 158 ipseccounters = counters_alloc(ipsec_ncounters); 159 160 strlcpy(ipsec_def_enc, IPSEC_DEFAULT_DEF_ENC, sizeof(ipsec_def_enc)); 161 strlcpy(ipsec_def_auth, IPSEC_DEFAULT_DEF_AUTH, sizeof(ipsec_def_auth)); 162 strlcpy(ipsec_def_comp, IPSEC_DEFAULT_DEF_COMP, sizeof(ipsec_def_comp)); 163 164 } 165 166 /* 167 * ipsec_common_input() gets called when we receive an IPsec-protected packet 168 * in IPv4 or IPv6. All it does is find the right TDB and call the appropriate 169 * transform. The callback takes care of further processing (like ingress 170 * filtering). 171 */ 172 int 173 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, 174 int udpencap) 175 { 176 #define IPSEC_ISTAT(x,y,z) do { \ 177 if (sproto == IPPROTO_ESP) \ 178 espstat_inc(x); \ 179 else if (sproto == IPPROTO_AH) \ 180 ahstat_inc(y); \ 181 else \ 182 ipcompstat_inc(z); \ 183 } while (0) 184 185 union sockaddr_union dst_address; 186 struct tdb *tdbp = NULL; 187 struct ifnet *encif; 188 u_int32_t spi; 189 u_int16_t cpi; 190 int error; 191 #ifdef ENCDEBUG 192 char buf[INET6_ADDRSTRLEN]; 193 #endif 194 195 NET_ASSERT_LOCKED(); 196 197 ipsecstat_inc(ipsec_ipackets); 198 ipsecstat_add(ipsec_ibytes, m->m_pkthdr.len); 199 IPSEC_ISTAT(esps_input, ahs_input, ipcomps_input); 200 201 if (m == NULL) { 202 DPRINTF(("%s: NULL packet received\n", __func__)); 203 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 204 return EINVAL; 205 } 206 207 if ((sproto == IPPROTO_IPCOMP) && (m->m_flags & M_COMP)) { 208 DPRINTF(("%s: repeated decompression\n", __func__)); 209 ipcompstat_inc(ipcomps_pdrops); 210 error = EINVAL; 211 goto drop; 212 } 213 214 if (m->m_pkthdr.len - skip < 2 * sizeof(u_int32_t)) { 215 DPRINTF(("%s: packet too small\n", __func__)); 216 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 217 error = EINVAL; 218 goto drop; 219 } 220 221 /* Retrieve the SPI from the relevant IPsec header */ 222 switch (sproto) { 223 case IPPROTO_ESP: 224 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi); 225 break; 226 case IPPROTO_AH: 227 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 228 (caddr_t) &spi); 229 break; 230 case IPPROTO_IPCOMP: 231 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t), 232 (caddr_t) &cpi); 233 spi = ntohl(htons(cpi)); 234 break; 235 default: 236 panic("%s: unknown/unsupported security protocol %d", 237 __func__, sproto); 238 } 239 240 /* 241 * Find tunnel control block and (indirectly) call the appropriate 242 * kernel crypto routine. The resulting mbuf chain is a valid 243 * IP packet ready to go through input processing. 244 */ 245 246 memset(&dst_address, 0, sizeof(dst_address)); 247 dst_address.sa.sa_family = af; 248 249 switch (af) { 250 case AF_INET: 251 dst_address.sin.sin_len = sizeof(struct sockaddr_in); 252 m_copydata(m, offsetof(struct ip, ip_dst), 253 sizeof(struct in_addr), 254 (caddr_t) &(dst_address.sin.sin_addr)); 255 break; 256 257 #ifdef INET6 258 case AF_INET6: 259 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6); 260 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 261 sizeof(struct in6_addr), 262 (caddr_t) &(dst_address.sin6.sin6_addr)); 263 in6_recoverscope(&dst_address.sin6, 264 &dst_address.sin6.sin6_addr); 265 break; 266 #endif /* INET6 */ 267 268 default: 269 DPRINTF(("%s: unsupported protocol family %d\n", __func__, af)); 270 IPSEC_ISTAT(esps_nopf, ahs_nopf, ipcomps_nopf); 271 error = EPFNOSUPPORT; 272 goto drop; 273 } 274 275 tdbp = gettdb(rtable_l2(m->m_pkthdr.ph_rtableid), 276 spi, &dst_address, sproto); 277 if (tdbp == NULL) { 278 DPRINTF(("%s: could not find SA for packet to %s, spi %08x\n", 279 __func__, 280 ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi))); 281 IPSEC_ISTAT(esps_notdb, ahs_notdb, ipcomps_notdb); 282 error = ENOENT; 283 goto drop; 284 } 285 286 if (tdbp->tdb_flags & TDBF_INVALID) { 287 DPRINTF(("%s: attempted to use invalid SA %s/%08x/%u\n", 288 __func__, ipsp_address(&dst_address, buf, 289 sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); 290 IPSEC_ISTAT(esps_invalid, ahs_invalid, ipcomps_invalid); 291 error = EINVAL; 292 goto drop; 293 } 294 295 if (udpencap && !(tdbp->tdb_flags & TDBF_UDPENCAP)) { 296 DPRINTF(("%s: attempted to use non-udpencap SA %s/%08x/%u\n", 297 __func__, ipsp_address(&dst_address, buf, 298 sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); 299 espstat_inc(esps_udpinval); 300 error = EINVAL; 301 goto drop; 302 } 303 304 if (!udpencap && (tdbp->tdb_flags & TDBF_UDPENCAP)) { 305 DPRINTF(("%s: attempted to use udpencap SA %s/%08x/%u\n", 306 __func__, ipsp_address(&dst_address, buf, 307 sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); 308 espstat_inc(esps_udpneeded); 309 error = EINVAL; 310 goto drop; 311 } 312 313 if (tdbp->tdb_xform == NULL) { 314 DPRINTF(("%s: attempted to use uninitialized SA %s/%08x/%u\n", 315 __func__, ipsp_address(&dst_address, buf, 316 sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); 317 IPSEC_ISTAT(esps_noxform, ahs_noxform, ipcomps_noxform); 318 error = ENXIO; 319 goto drop; 320 } 321 322 if (sproto != IPPROTO_IPCOMP) { 323 if ((encif = enc_getif(tdbp->tdb_rdomain_post, 324 tdbp->tdb_tap)) == NULL) { 325 DPRINTF(("%s: no enc%u interface for SA %s/%08x/%u\n", 326 __func__, 327 tdbp->tdb_tap, ipsp_address(&dst_address, buf, 328 sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); 329 IPSEC_ISTAT(esps_pdrops, ahs_pdrops, ipcomps_pdrops); 330 error = EACCES; 331 goto drop; 332 } 333 334 /* XXX This conflicts with the scoped nature of IPv6 */ 335 m->m_pkthdr.ph_ifidx = encif->if_index; 336 } 337 338 /* Register first use, setup expiration timer. */ 339 if (tdbp->tdb_first_use == 0) { 340 tdbp->tdb_first_use = gettime(); 341 if (tdbp->tdb_flags & TDBF_FIRSTUSE) 342 timeout_add_sec(&tdbp->tdb_first_tmo, 343 tdbp->tdb_exp_first_use); 344 if (tdbp->tdb_flags & TDBF_SOFT_FIRSTUSE) 345 timeout_add_sec(&tdbp->tdb_sfirst_tmo, 346 tdbp->tdb_soft_first_use); 347 } 348 349 tdbp->tdb_ipackets++; 350 tdbp->tdb_ibytes += m->m_pkthdr.len; 351 352 /* 353 * Call appropriate transform and return -- callback takes care of 354 * everything else. 355 */ 356 error = (*(tdbp->tdb_xform->xf_input))(m, tdbp, skip, protoff); 357 if (error) { 358 ipsecstat_inc(ipsec_idrops); 359 tdbp->tdb_idrops++; 360 } 361 return error; 362 363 drop: 364 ipsecstat_inc(ipsec_idrops); 365 if (tdbp != NULL) 366 tdbp->tdb_idrops++; 367 m_freem(m); 368 return error; 369 } 370 371 void 372 ipsec_input_cb(struct cryptop *crp) 373 { 374 struct tdb_crypto *tc = (struct tdb_crypto *) crp->crp_opaque; 375 struct mbuf *m = (struct mbuf *) crp->crp_buf; 376 struct tdb *tdb = NULL; 377 int clen, error; 378 379 if (m == NULL) { 380 DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); 381 ipsecstat_inc(ipsec_crypto); 382 goto droponly; 383 } 384 385 386 NET_LOCK(); 387 tdb = gettdb(tc->tc_rdomain, tc->tc_spi, &tc->tc_dst, tc->tc_proto); 388 if (tdb == NULL) { 389 DPRINTF(("%s: TDB is expired while in crypto", __func__)); 390 ipsecstat_inc(ipsec_notdb); 391 goto baddone; 392 } 393 394 /* Check for crypto errors */ 395 if (crp->crp_etype) { 396 if (crp->crp_etype == EAGAIN) { 397 /* Reset the session ID */ 398 if (tdb->tdb_cryptoid != 0) 399 tdb->tdb_cryptoid = crp->crp_sid; 400 NET_UNLOCK(); 401 crypto_dispatch(crp); 402 return; 403 } 404 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); 405 ipsecstat_inc(ipsec_noxform); 406 goto baddone; 407 } 408 409 /* Length of data after processing */ 410 clen = crp->crp_olen; 411 412 /* Release the crypto descriptors */ 413 crypto_freereq(crp); 414 415 switch (tdb->tdb_sproto) { 416 case IPPROTO_ESP: 417 error = esp_input_cb(tdb, tc, m, clen); 418 break; 419 case IPPROTO_AH: 420 error = ah_input_cb(tdb, tc, m, clen); 421 break; 422 case IPPROTO_IPCOMP: 423 error = ipcomp_input_cb(tdb, tc, m, clen); 424 break; 425 default: 426 panic("%s: unknown/unsupported security protocol %d", 427 __func__, tdb->tdb_sproto); 428 } 429 430 NET_UNLOCK(); 431 if (error) { 432 ipsecstat_inc(ipsec_idrops); 433 tdb->tdb_idrops++; 434 } 435 return; 436 437 baddone: 438 NET_UNLOCK(); 439 droponly: 440 ipsecstat_inc(ipsec_idrops); 441 if (tdb != NULL) 442 tdb->tdb_idrops++; 443 free(tc, M_XDATA, 0); 444 m_freem(m); 445 crypto_freereq(crp); 446 } 447 448 /* 449 * IPsec input callback, called by the transform callback. Takes care of 450 * filtering and other sanity checks on the processed packet. 451 */ 452 int 453 ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff) 454 { 455 int af, sproto; 456 u_int8_t prot; 457 458 #if NBPFILTER > 0 459 struct ifnet *encif; 460 #endif 461 462 struct ip *ip, ipn; 463 464 #ifdef INET6 465 struct ip6_hdr *ip6, ip6n; 466 #endif /* INET6 */ 467 struct m_tag *mtag; 468 struct tdb_ident *tdbi; 469 470 #ifdef ENCDEBUG 471 char buf[INET6_ADDRSTRLEN]; 472 #endif 473 474 af = tdbp->tdb_dst.sa.sa_family; 475 sproto = tdbp->tdb_sproto; 476 477 tdbp->tdb_last_used = gettime(); 478 479 /* Sanity check */ 480 if (m == NULL) { 481 /* The called routine will print a message if necessary */ 482 IPSEC_ISTAT(esps_badkcr, ahs_badkcr, ipcomps_badkcr); 483 return -1; 484 } 485 486 /* Fix IPv4 header */ 487 if (af == AF_INET) { 488 if ((m->m_len < skip) && ((m = m_pullup(m, skip)) == NULL)) { 489 DPRINTF(("%s: processing failed for SA %s/%08x\n", 490 __func__, ipsp_address(&tdbp->tdb_dst, 491 buf, sizeof(buf)), ntohl(tdbp->tdb_spi))); 492 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 493 return -1; 494 } 495 496 ip = mtod(m, struct ip *); 497 ip->ip_len = htons(m->m_pkthdr.len); 498 ip->ip_sum = 0; 499 ip->ip_sum = in_cksum(m, ip->ip_hl << 2); 500 prot = ip->ip_p; 501 502 /* IP-in-IP encapsulation */ 503 if (prot == IPPROTO_IPIP) { 504 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { 505 m_freem(m); 506 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 507 ipcomps_hdrops); 508 return -1; 509 } 510 /* ipn will now contain the inner IPv4 header */ 511 m_copydata(m, skip, sizeof(struct ip), 512 (caddr_t) &ipn); 513 } 514 515 #ifdef INET6 516 /* IPv6-in-IP encapsulation. */ 517 if (prot == IPPROTO_IPV6) { 518 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { 519 m_freem(m); 520 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 521 ipcomps_hdrops); 522 return -1; 523 } 524 /* ip6n will now contain the inner IPv6 header. */ 525 m_copydata(m, skip, sizeof(struct ip6_hdr), 526 (caddr_t) &ip6n); 527 } 528 #endif /* INET6 */ 529 } 530 531 #ifdef INET6 532 /* Fix IPv6 header */ 533 if (af == AF_INET6) 534 { 535 if (m->m_len < sizeof(struct ip6_hdr) && 536 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 537 538 DPRINTF(("%s: processing failed for SA %s/%08x\n", 539 __func__, ipsp_address(&tdbp->tdb_dst, 540 buf, sizeof(buf)), ntohl(tdbp->tdb_spi))); 541 542 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 543 return -1; 544 } 545 546 ip6 = mtod(m, struct ip6_hdr *); 547 ip6->ip6_plen = htons(m->m_pkthdr.len - skip); 548 549 /* Save protocol */ 550 m_copydata(m, protoff, 1, (caddr_t) &prot); 551 552 /* IP-in-IP encapsulation */ 553 if (prot == IPPROTO_IPIP) { 554 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { 555 m_freem(m); 556 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 557 ipcomps_hdrops); 558 return -1; 559 } 560 /* ipn will now contain the inner IPv4 header */ 561 m_copydata(m, skip, sizeof(struct ip), (caddr_t) &ipn); 562 } 563 564 /* IPv6-in-IP encapsulation */ 565 if (prot == IPPROTO_IPV6) { 566 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { 567 m_freem(m); 568 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 569 ipcomps_hdrops); 570 return -1; 571 } 572 /* ip6n will now contain the inner IPv6 header. */ 573 m_copydata(m, skip, sizeof(struct ip6_hdr), 574 (caddr_t) &ip6n); 575 } 576 } 577 #endif /* INET6 */ 578 579 /* 580 * Fix TCP/UDP checksum of UDP encapsulated transport mode ESP packet. 581 * (RFC3948 3.1.2) 582 */ 583 if ((af == AF_INET || af == AF_INET6) && 584 (tdbp->tdb_flags & TDBF_UDPENCAP) && 585 (tdbp->tdb_flags & TDBF_TUNNELING) == 0) { 586 u_int16_t cksum; 587 588 switch (prot) { 589 case IPPROTO_UDP: 590 if (m->m_pkthdr.len < skip + sizeof(struct udphdr)) { 591 m_freem(m); 592 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 593 ipcomps_hdrops); 594 return -1; 595 } 596 cksum = 0; 597 m_copyback(m, skip + offsetof(struct udphdr, uh_sum), 598 sizeof(cksum), &cksum, M_NOWAIT); 599 #ifdef INET6 600 if (af == AF_INET6) { 601 cksum = in6_cksum(m, IPPROTO_UDP, skip, 602 m->m_pkthdr.len - skip); 603 m_copyback(m, skip + offsetof(struct udphdr, 604 uh_sum), sizeof(cksum), &cksum, M_NOWAIT); 605 } 606 #endif 607 break; 608 case IPPROTO_TCP: 609 if (m->m_pkthdr.len < skip + sizeof(struct tcphdr)) { 610 m_freem(m); 611 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 612 ipcomps_hdrops); 613 return -1; 614 } 615 cksum = 0; 616 m_copyback(m, skip + offsetof(struct tcphdr, th_sum), 617 sizeof(cksum), &cksum, M_NOWAIT); 618 if (af == AF_INET) 619 cksum = in4_cksum(m, IPPROTO_TCP, skip, 620 m->m_pkthdr.len - skip); 621 #ifdef INET6 622 else if (af == AF_INET6) 623 cksum = in6_cksum(m, IPPROTO_TCP, skip, 624 m->m_pkthdr.len - skip); 625 #endif 626 m_copyback(m, skip + offsetof(struct tcphdr, th_sum), 627 sizeof(cksum), &cksum, M_NOWAIT); 628 break; 629 } 630 } 631 632 /* 633 * Record what we've done to the packet (under what SA it was 634 * processed). 635 */ 636 if (tdbp->tdb_sproto != IPPROTO_IPCOMP) { 637 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 638 sizeof(struct tdb_ident), M_NOWAIT); 639 if (mtag == NULL) { 640 m_freem(m); 641 DPRINTF(("%s: failed to get tag\n", __func__)); 642 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 643 return -1; 644 } 645 646 tdbi = (struct tdb_ident *)(mtag + 1); 647 tdbi->dst = tdbp->tdb_dst; 648 tdbi->proto = tdbp->tdb_sproto; 649 tdbi->spi = tdbp->tdb_spi; 650 tdbi->rdomain = tdbp->tdb_rdomain; 651 652 m_tag_prepend(m, mtag); 653 } 654 655 switch (sproto) { 656 case IPPROTO_ESP: 657 /* Packet is confidential ? */ 658 if (tdbp->tdb_encalgxform) 659 m->m_flags |= M_CONF; 660 661 /* Check if we had authenticated ESP. */ 662 if (tdbp->tdb_authalgxform) 663 m->m_flags |= M_AUTH; 664 break; 665 case IPPROTO_AH: 666 m->m_flags |= M_AUTH; 667 break; 668 case IPPROTO_IPCOMP: 669 m->m_flags |= M_COMP; 670 break; 671 default: 672 panic("%s: unknown/unsupported security protocol %d", 673 __func__, sproto); 674 } 675 676 #if NPF > 0 677 /* Add pf tag if requested. */ 678 pf_tag_packet(m, tdbp->tdb_tag, -1); 679 pf_pkt_addr_changed(m); 680 #endif 681 if (tdbp->tdb_rdomain != tdbp->tdb_rdomain_post) 682 m->m_pkthdr.ph_rtableid = tdbp->tdb_rdomain_post; 683 684 if (tdbp->tdb_flags & TDBF_TUNNELING) 685 m->m_flags |= M_TUNNEL; 686 687 ipsecstat_add(ipsec_idecompbytes, m->m_pkthdr.len); 688 tdbp->tdb_idecompbytes += m->m_pkthdr.len; 689 690 #if NBPFILTER > 0 691 if ((encif = enc_getif(tdbp->tdb_rdomain_post, tdbp->tdb_tap)) != NULL) { 692 encif->if_ipackets++; 693 encif->if_ibytes += m->m_pkthdr.len; 694 695 if (encif->if_bpf) { 696 struct enchdr hdr; 697 698 hdr.af = af; 699 hdr.spi = tdbp->tdb_spi; 700 hdr.flags = m->m_flags & (M_AUTH|M_CONF); 701 702 bpf_mtap_hdr(encif->if_bpf, (char *)&hdr, 703 ENC_HDRLEN, m, BPF_DIRECTION_IN); 704 } 705 } 706 #endif 707 708 #if NPF > 0 709 /* 710 * The ip_deliver() shortcut avoids running through ip_input() with the 711 * same IP header twice. Packets in transport mode have to be be 712 * passed to pf explicitly. In tunnel mode the inner IP header will 713 * run through ip_input() and pf anyway. 714 */ 715 if ((tdbp->tdb_flags & TDBF_TUNNELING) == 0) { 716 struct ifnet *ifp; 717 718 /* This is the enc0 interface unless for ipcomp. */ 719 if ((ifp = if_get(m->m_pkthdr.ph_ifidx)) == NULL) { 720 m_freem(m); 721 return -1; 722 } 723 if (pf_test(af, PF_IN, ifp, &m) != PF_PASS) { 724 if_put(ifp); 725 m_freem(m); 726 return -1; 727 } 728 if_put(ifp); 729 if (m == NULL) 730 return -1; 731 } 732 #endif 733 /* Call the appropriate IPsec transform callback. */ 734 ip_deliver(&m, &skip, prot, af); 735 return 0; 736 #undef IPSEC_ISTAT 737 } 738 739 int 740 ipsec_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 741 size_t newlen) 742 { 743 int error; 744 745 switch (name[0]) { 746 case IPCTL_IPSEC_ENC_ALGORITHM: 747 NET_LOCK(); 748 error = sysctl_tstring(oldp, oldlenp, newp, newlen, 749 ipsec_def_enc, sizeof(ipsec_def_enc)); 750 NET_UNLOCK(); 751 return (error); 752 case IPCTL_IPSEC_AUTH_ALGORITHM: 753 NET_LOCK(); 754 error = sysctl_tstring(oldp, oldlenp, newp, newlen, 755 ipsec_def_auth, sizeof(ipsec_def_auth)); 756 NET_UNLOCK(); 757 return (error); 758 case IPCTL_IPSEC_IPCOMP_ALGORITHM: 759 NET_LOCK(); 760 error = sysctl_tstring(oldp, oldlenp, newp, newlen, 761 ipsec_def_comp, sizeof(ipsec_def_comp)); 762 NET_UNLOCK(); 763 return (error); 764 case IPCTL_IPSEC_STATS: 765 return (ipsec_sysctl_ipsecstat(oldp, oldlenp, newp)); 766 default: 767 NET_LOCK(); 768 error = sysctl_bounded_arr(ipsecctl_vars, nitems(ipsecctl_vars), 769 name, namelen, oldp, oldlenp, newp, newlen); 770 NET_UNLOCK(); 771 return (error); 772 } 773 } 774 775 int 776 esp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 777 size_t newlen) 778 { 779 int error; 780 781 /* All sysctl names at this level are terminal. */ 782 if (namelen != 1) 783 return (ENOTDIR); 784 785 switch (name[0]) { 786 case ESPCTL_STATS: 787 return (esp_sysctl_espstat(oldp, oldlenp, newp)); 788 default: 789 NET_LOCK(); 790 error = sysctl_bounded_arr(espctl_vars, nitems(espctl_vars), 791 name, namelen, oldp, oldlenp, newp, newlen); 792 NET_UNLOCK(); 793 return (error); 794 } 795 } 796 797 int 798 esp_sysctl_espstat(void *oldp, size_t *oldlenp, void *newp) 799 { 800 struct espstat espstat; 801 802 CTASSERT(sizeof(espstat) == (esps_ncounters * sizeof(uint64_t))); 803 memset(&espstat, 0, sizeof espstat); 804 counters_read(espcounters, (uint64_t *)&espstat, esps_ncounters); 805 return (sysctl_rdstruct(oldp, oldlenp, newp, &espstat, 806 sizeof(espstat))); 807 } 808 809 int 810 ah_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 811 size_t newlen) 812 { 813 int error; 814 815 /* All sysctl names at this level are terminal. */ 816 if (namelen != 1) 817 return (ENOTDIR); 818 819 switch (name[0]) { 820 case AHCTL_STATS: 821 return ah_sysctl_ahstat(oldp, oldlenp, newp); 822 default: 823 NET_LOCK(); 824 error = sysctl_bounded_arr(ahctl_vars, nitems(ahctl_vars), name, 825 namelen, oldp, oldlenp, newp, newlen); 826 NET_UNLOCK(); 827 return (error); 828 } 829 } 830 831 int 832 ah_sysctl_ahstat(void *oldp, size_t *oldlenp, void *newp) 833 { 834 struct ahstat ahstat; 835 836 CTASSERT(sizeof(ahstat) == (ahs_ncounters * sizeof(uint64_t))); 837 memset(&ahstat, 0, sizeof ahstat); 838 counters_read(ahcounters, (uint64_t *)&ahstat, ahs_ncounters); 839 return (sysctl_rdstruct(oldp, oldlenp, newp, &ahstat, sizeof(ahstat))); 840 } 841 842 int 843 ipcomp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 844 size_t newlen) 845 { 846 int error; 847 848 /* All sysctl names at this level are terminal. */ 849 if (namelen != 1) 850 return (ENOTDIR); 851 852 switch (name[0]) { 853 case IPCOMPCTL_STATS: 854 return ipcomp_sysctl_ipcompstat(oldp, oldlenp, newp); 855 default: 856 NET_LOCK(); 857 error = sysctl_bounded_arr(ipcompctl_vars, 858 nitems(ipcompctl_vars), name, namelen, oldp, oldlenp, 859 newp, newlen); 860 NET_UNLOCK(); 861 return (error); 862 } 863 } 864 865 int 866 ipcomp_sysctl_ipcompstat(void *oldp, size_t *oldlenp, void *newp) 867 { 868 struct ipcompstat ipcompstat; 869 870 CTASSERT(sizeof(ipcompstat) == (ipcomps_ncounters * sizeof(uint64_t))); 871 memset(&ipcompstat, 0, sizeof ipcompstat); 872 counters_read(ipcompcounters, (uint64_t *)&ipcompstat, 873 ipcomps_ncounters); 874 return (sysctl_rdstruct(oldp, oldlenp, newp, &ipcompstat, 875 sizeof(ipcompstat))); 876 } 877 878 int 879 ipsec_sysctl_ipsecstat(void *oldp, size_t *oldlenp, void *newp) 880 { 881 struct ipsecstat ipsecstat; 882 883 CTASSERT(sizeof(ipsecstat) == (ipsec_ncounters * sizeof(uint64_t))); 884 memset(&ipsecstat, 0, sizeof ipsecstat); 885 counters_read(ipseccounters, (uint64_t *)&ipsecstat, ipsec_ncounters); 886 return (sysctl_rdstruct(oldp, oldlenp, newp, &ipsecstat, 887 sizeof(ipsecstat))); 888 } 889 890 /* IPv4 AH wrapper. */ 891 int 892 ah4_input(struct mbuf **mp, int *offp, int proto, int af) 893 { 894 if ( 895 #if NPF > 0 896 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 897 #endif 898 !ah_enable) 899 return rip_input(mp, offp, proto, af); 900 901 ipsec_common_input(*mp, *offp, offsetof(struct ip, ip_p), AF_INET, 902 proto, 0); 903 return IPPROTO_DONE; 904 } 905 906 void 907 ah4_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 908 { 909 if (sa->sa_family != AF_INET || 910 sa->sa_len != sizeof(struct sockaddr_in)) 911 return; 912 913 ipsec_common_ctlinput(rdomain, cmd, sa, v, IPPROTO_AH); 914 } 915 916 /* IPv4 ESP wrapper. */ 917 int 918 esp4_input(struct mbuf **mp, int *offp, int proto, int af) 919 { 920 if ( 921 #if NPF > 0 922 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 923 #endif 924 !esp_enable) 925 return rip_input(mp, offp, proto, af); 926 927 ipsec_common_input(*mp, *offp, offsetof(struct ip, ip_p), AF_INET, 928 proto, 0); 929 return IPPROTO_DONE; 930 } 931 932 /* IPv4 IPCOMP wrapper */ 933 int 934 ipcomp4_input(struct mbuf **mp, int *offp, int proto, int af) 935 { 936 if ( 937 #if NPF > 0 938 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 939 #endif 940 !ipcomp_enable) 941 return rip_input(mp, offp, proto, af); 942 943 ipsec_common_input(*mp, *offp, offsetof(struct ip, ip_p), AF_INET, 944 proto, 0); 945 return IPPROTO_DONE; 946 } 947 948 void 949 ipsec_common_ctlinput(u_int rdomain, int cmd, struct sockaddr *sa, 950 void *v, int proto) 951 { 952 struct ip *ip = v; 953 954 if (cmd == PRC_MSGSIZE && ip && ip_mtudisc && ip->ip_v == 4) { 955 struct tdb *tdbp; 956 struct sockaddr_in dst; 957 struct icmp *icp; 958 int hlen = ip->ip_hl << 2; 959 u_int32_t spi, mtu; 960 ssize_t adjust; 961 962 /* Find the right MTU. */ 963 icp = (struct icmp *)((caddr_t) ip - 964 offsetof(struct icmp, icmp_ip)); 965 mtu = ntohs(icp->icmp_nextmtu); 966 967 /* 968 * Ignore the packet, if we do not receive a MTU 969 * or the MTU is too small to be acceptable. 970 */ 971 if (mtu < 296) 972 return; 973 974 memset(&dst, 0, sizeof(struct sockaddr_in)); 975 dst.sin_family = AF_INET; 976 dst.sin_len = sizeof(struct sockaddr_in); 977 dst.sin_addr.s_addr = ip->ip_dst.s_addr; 978 979 memcpy(&spi, (caddr_t)ip + hlen, sizeof(u_int32_t)); 980 981 tdbp = gettdb_rev(rdomain, spi, (union sockaddr_union *)&dst, 982 proto); 983 if (tdbp == NULL || tdbp->tdb_flags & TDBF_INVALID) 984 return; 985 986 /* Walk the chain backwards to the first tdb */ 987 NET_ASSERT_LOCKED(); 988 for (; tdbp; tdbp = tdbp->tdb_inext) { 989 if (tdbp->tdb_flags & TDBF_INVALID || 990 (adjust = ipsec_hdrsz(tdbp)) == -1) 991 return; 992 993 mtu -= adjust; 994 995 /* Store adjusted MTU in tdb */ 996 tdbp->tdb_mtu = mtu; 997 tdbp->tdb_mtutimeout = gettime() + 998 ip_mtudisc_timeout; 999 DPRINTF(("%s: spi %08x mtu %d adjust %ld\n", __func__, 1000 ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, 1001 adjust)); 1002 } 1003 } 1004 } 1005 1006 void 1007 udpencap_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 1008 { 1009 struct ip *ip = v; 1010 struct tdb *tdbp; 1011 struct icmp *icp; 1012 u_int32_t mtu; 1013 ssize_t adjust; 1014 struct sockaddr_in dst, src; 1015 union sockaddr_union *su_dst, *su_src; 1016 1017 NET_ASSERT_LOCKED(); 1018 1019 icp = (struct icmp *)((caddr_t) ip - offsetof(struct icmp, icmp_ip)); 1020 mtu = ntohs(icp->icmp_nextmtu); 1021 1022 /* 1023 * Ignore the packet, if we do not receive a MTU 1024 * or the MTU is too small to be acceptable. 1025 */ 1026 if (mtu < 296) 1027 return; 1028 1029 memset(&dst, 0, sizeof(dst)); 1030 dst.sin_family = AF_INET; 1031 dst.sin_len = sizeof(struct sockaddr_in); 1032 dst.sin_addr.s_addr = ip->ip_dst.s_addr; 1033 su_dst = (union sockaddr_union *)&dst; 1034 memset(&src, 0, sizeof(src)); 1035 src.sin_family = AF_INET; 1036 src.sin_len = sizeof(struct sockaddr_in); 1037 src.sin_addr.s_addr = ip->ip_src.s_addr; 1038 su_src = (union sockaddr_union *)&src; 1039 1040 tdbp = gettdbbysrcdst_rev(rdomain, 0, su_src, su_dst, 1041 IPPROTO_ESP); 1042 1043 for (; tdbp != NULL; tdbp = tdbp->tdb_snext) { 1044 if (tdbp->tdb_sproto == IPPROTO_ESP && 1045 ((tdbp->tdb_flags & (TDBF_INVALID|TDBF_UDPENCAP)) == 1046 TDBF_UDPENCAP) && 1047 !memcmp(&tdbp->tdb_dst, &dst, su_dst->sa.sa_len) && 1048 !memcmp(&tdbp->tdb_src, &src, su_src->sa.sa_len)) { 1049 if ((adjust = ipsec_hdrsz(tdbp)) != -1) { 1050 /* Store adjusted MTU in tdb */ 1051 tdbp->tdb_mtu = mtu - adjust; 1052 tdbp->tdb_mtutimeout = gettime() + 1053 ip_mtudisc_timeout; 1054 DPRINTF(("%s: spi %08x mtu %d adjust %ld\n", 1055 __func__, 1056 ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, 1057 adjust)); 1058 } 1059 } 1060 } 1061 } 1062 1063 void 1064 esp4_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 1065 { 1066 if (sa->sa_family != AF_INET || 1067 sa->sa_len != sizeof(struct sockaddr_in)) 1068 return; 1069 1070 ipsec_common_ctlinput(rdomain, cmd, sa, v, IPPROTO_ESP); 1071 } 1072 1073 #ifdef INET6 1074 /* IPv6 AH wrapper. */ 1075 int 1076 ah6_input(struct mbuf **mp, int *offp, int proto, int af) 1077 { 1078 int l = 0; 1079 int protoff, nxt; 1080 struct ip6_ext ip6e; 1081 1082 if ( 1083 #if NPF > 0 1084 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 1085 #endif 1086 !ah_enable) 1087 return rip6_input(mp, offp, proto, af); 1088 1089 if (*offp < sizeof(struct ip6_hdr)) { 1090 DPRINTF(("%s: bad offset\n", __func__)); 1091 ahstat_inc(ahs_hdrops); 1092 m_freemp(mp); 1093 return IPPROTO_DONE; 1094 } else if (*offp == sizeof(struct ip6_hdr)) { 1095 protoff = offsetof(struct ip6_hdr, ip6_nxt); 1096 } else { 1097 /* Chase down the header chain... */ 1098 protoff = sizeof(struct ip6_hdr); 1099 nxt = (mtod(*mp, struct ip6_hdr *))->ip6_nxt; 1100 1101 do { 1102 protoff += l; 1103 m_copydata(*mp, protoff, sizeof(ip6e), 1104 (caddr_t) &ip6e); 1105 1106 if (nxt == IPPROTO_AH) 1107 l = (ip6e.ip6e_len + 2) << 2; 1108 else 1109 l = (ip6e.ip6e_len + 1) << 3; 1110 #ifdef DIAGNOSTIC 1111 if (l <= 0) 1112 panic("ah6_input: l went zero or negative"); 1113 #endif 1114 1115 nxt = ip6e.ip6e_nxt; 1116 } while (protoff + l < *offp); 1117 1118 /* Malformed packet check */ 1119 if (protoff + l != *offp) { 1120 DPRINTF(("%s: bad packet header chain\n", __func__)); 1121 ahstat_inc(ahs_hdrops); 1122 m_freemp(mp); 1123 return IPPROTO_DONE; 1124 } 1125 protoff += offsetof(struct ip6_ext, ip6e_nxt); 1126 } 1127 ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto, 0); 1128 return IPPROTO_DONE; 1129 } 1130 1131 /* IPv6 ESP wrapper. */ 1132 int 1133 esp6_input(struct mbuf **mp, int *offp, int proto, int af) 1134 { 1135 int l = 0; 1136 int protoff, nxt; 1137 struct ip6_ext ip6e; 1138 1139 if ( 1140 #if NPF > 0 1141 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 1142 #endif 1143 !esp_enable) 1144 return rip6_input(mp, offp, proto, af); 1145 1146 if (*offp < sizeof(struct ip6_hdr)) { 1147 DPRINTF(("%s: bad offset\n", __func__)); 1148 espstat_inc(esps_hdrops); 1149 m_freemp(mp); 1150 return IPPROTO_DONE; 1151 } else if (*offp == sizeof(struct ip6_hdr)) { 1152 protoff = offsetof(struct ip6_hdr, ip6_nxt); 1153 } else { 1154 /* Chase down the header chain... */ 1155 protoff = sizeof(struct ip6_hdr); 1156 nxt = (mtod(*mp, struct ip6_hdr *))->ip6_nxt; 1157 1158 do { 1159 protoff += l; 1160 m_copydata(*mp, protoff, sizeof(ip6e), 1161 (caddr_t) &ip6e); 1162 1163 if (nxt == IPPROTO_AH) 1164 l = (ip6e.ip6e_len + 2) << 2; 1165 else 1166 l = (ip6e.ip6e_len + 1) << 3; 1167 #ifdef DIAGNOSTIC 1168 if (l <= 0) 1169 panic("esp6_input: l went zero or negative"); 1170 #endif 1171 1172 nxt = ip6e.ip6e_nxt; 1173 } while (protoff + l < *offp); 1174 1175 /* Malformed packet check */ 1176 if (protoff + l != *offp) { 1177 DPRINTF(("%s: bad packet header chain\n", __func__)); 1178 espstat_inc(esps_hdrops); 1179 m_freemp(mp); 1180 return IPPROTO_DONE; 1181 } 1182 protoff += offsetof(struct ip6_ext, ip6e_nxt); 1183 } 1184 ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto, 0); 1185 return IPPROTO_DONE; 1186 1187 } 1188 1189 /* IPv6 IPcomp wrapper */ 1190 int 1191 ipcomp6_input(struct mbuf **mp, int *offp, int proto, int af) 1192 { 1193 int l = 0; 1194 int protoff, nxt; 1195 struct ip6_ext ip6e; 1196 1197 if ( 1198 #if NPF > 0 1199 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 1200 #endif 1201 !ipcomp_enable) 1202 return rip6_input(mp, offp, proto, af); 1203 1204 if (*offp < sizeof(struct ip6_hdr)) { 1205 DPRINTF(("%s: bad offset\n", __func__)); 1206 ipcompstat_inc(ipcomps_hdrops); 1207 m_freemp(mp); 1208 return IPPROTO_DONE; 1209 } else if (*offp == sizeof(struct ip6_hdr)) { 1210 protoff = offsetof(struct ip6_hdr, ip6_nxt); 1211 } else { 1212 /* Chase down the header chain... */ 1213 protoff = sizeof(struct ip6_hdr); 1214 nxt = (mtod(*mp, struct ip6_hdr *))->ip6_nxt; 1215 1216 do { 1217 protoff += l; 1218 m_copydata(*mp, protoff, sizeof(ip6e), 1219 (caddr_t) &ip6e); 1220 if (nxt == IPPROTO_AH) 1221 l = (ip6e.ip6e_len + 2) << 2; 1222 else 1223 l = (ip6e.ip6e_len + 1) << 3; 1224 #ifdef DIAGNOSTIC 1225 if (l <= 0) 1226 panic("l went zero or negative"); 1227 #endif 1228 1229 nxt = ip6e.ip6e_nxt; 1230 } while (protoff + l < *offp); 1231 1232 /* Malformed packet check */ 1233 if (protoff + l != *offp) { 1234 DPRINTF(("%s: bad packet header chain\n", __func__)); 1235 ipcompstat_inc(ipcomps_hdrops); 1236 m_freemp(mp); 1237 return IPPROTO_DONE; 1238 } 1239 1240 protoff += offsetof(struct ip6_ext, ip6e_nxt); 1241 } 1242 ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto, 0); 1243 return IPPROTO_DONE; 1244 } 1245 #endif /* INET6 */ 1246 1247 int 1248 ipsec_forward_check(struct mbuf *m, int hlen, int af) 1249 { 1250 struct tdb *tdb; 1251 struct tdb_ident *tdbi; 1252 struct m_tag *mtag; 1253 int error = 0; 1254 1255 /* 1256 * IPsec policy check for forwarded packets. Look at 1257 * inner-most IPsec SA used. 1258 */ 1259 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 1260 if (mtag != NULL) { 1261 tdbi = (struct tdb_ident *)(mtag + 1); 1262 tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, tdbi->proto); 1263 } else 1264 tdb = NULL; 1265 ipsp_spd_lookup(m, af, hlen, &error, IPSP_DIRECTION_IN, tdb, NULL, 0); 1266 1267 return error; 1268 } 1269 1270 int 1271 ipsec_local_check(struct mbuf *m, int hlen, int proto, int af) 1272 { 1273 struct tdb *tdb; 1274 struct tdb_ident *tdbi; 1275 struct m_tag *mtag; 1276 int error = 0; 1277 1278 /* 1279 * If it's a protected packet for us, skip the policy check. 1280 * That's because we really only care about the properties of 1281 * the protected packet, and not the intermediate versions. 1282 * While this is not the most paranoid setting, it allows 1283 * some flexibility in handling nested tunnels (in setting up 1284 * the policies). 1285 */ 1286 if ((proto == IPPROTO_ESP) || (proto == IPPROTO_AH) || 1287 (proto == IPPROTO_IPCOMP)) 1288 return 0; 1289 1290 /* 1291 * If the protected packet was tunneled, then we need to 1292 * verify the protected packet's information, not the 1293 * external headers. Thus, skip the policy lookup for the 1294 * external packet, and keep the IPsec information linked on 1295 * the packet header (the encapsulation routines know how 1296 * to deal with that). 1297 */ 1298 if ((proto == IPPROTO_IPV4) || (proto == IPPROTO_IPV6)) 1299 return 0; 1300 1301 /* 1302 * When processing IPv6 header chains, do not look at the 1303 * outer header. The inner protocol is relevant and will 1304 * be checked by the local delivery loop later. 1305 */ 1306 if ((af == AF_INET6) && ((proto == IPPROTO_DSTOPTS) || 1307 (proto == IPPROTO_ROUTING) || (proto == IPPROTO_FRAGMENT))) 1308 return 0; 1309 1310 /* 1311 * If the protected packet is TCP or UDP, we'll do the 1312 * policy check in the respective input routine, so we can 1313 * check for bypass sockets. 1314 */ 1315 if ((proto == IPPROTO_TCP) || (proto == IPPROTO_UDP)) 1316 return 0; 1317 1318 /* 1319 * IPsec policy check for local-delivery packets. Look at the 1320 * inner-most SA that protected the packet. This is in fact 1321 * a bit too restrictive (it could end up causing packets to 1322 * be dropped that semantically follow the policy, e.g., in 1323 * certain SA-bundle configurations); but the alternative is 1324 * very complicated (and requires keeping track of what 1325 * kinds of tunneling headers have been seen in-between the 1326 * IPsec headers), and I don't think we lose much functionality 1327 * that's needed in the real world (who uses bundles anyway ?). 1328 */ 1329 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 1330 if (mtag) { 1331 tdbi = (struct tdb_ident *)(mtag + 1); 1332 tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, 1333 tdbi->proto); 1334 } else 1335 tdb = NULL; 1336 ipsp_spd_lookup(m, af, hlen, &error, IPSP_DIRECTION_IN, 1337 tdb, NULL, 0); 1338 1339 return error; 1340 } 1341