1 /* $NetBSD: ipsec_input.c,v 1.36 2016/06/10 13:31:44 ozaki-r Exp $ */
2 /* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */
3 /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */
4
5 /*
6 * The authors of this code are John Ioannidis (ji@tla.org),
7 * Angelos D. Keromytis (kermit@csd.uch.gr) and
8 * Niels Provos (provos@physnet.uni-hamburg.de).
9 *
10 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
11 * in November 1995.
12 *
13 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
14 * by Angelos D. Keromytis.
15 *
16 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
17 * and Niels Provos.
18 *
19 * Additional features in 1999 by Angelos D. Keromytis.
20 *
21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
22 * Angelos D. Keromytis and Niels Provos.
23 * Copyright (c) 2001, Angelos D. Keromytis.
24 *
25 * Permission to use, copy, and modify this software with or without fee
26 * is hereby granted, provided that this entire notice is included in
27 * all copies of any software which is or includes a copy or
28 * modification of this software.
29 * You may use this code under the GNU public license if you so wish. Please
30 * contribute changes back to the authors under this freer than GPL license
31 * so that we may further the use of strong encryption without limitations to
32 * all.
33 *
34 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
35 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
36 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
37 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
38 * PURPOSE.
39 */
40
41 #include <sys/cdefs.h>
42 __KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.36 2016/06/10 13:31:44 ozaki-r Exp $");
43
44 /*
45 * IPsec input processing.
46 */
47
48 #include "opt_inet.h"
49 #ifdef __FreeBSD__
50 #include "opt_inet6.h"
51 #endif
52
53 #include <sys/param.h>
54 #include <sys/systm.h>
55 #include <sys/malloc.h>
56 #include <sys/mbuf.h>
57 #include <sys/domain.h>
58 #include <sys/protosw.h>
59 #include <sys/socket.h>
60 #include <sys/errno.h>
61 #include <sys/syslog.h>
62
63 #include <net/if.h>
64 #include <net/route.h>
65
66 #include <netinet/in.h>
67 #include <netinet/in_systm.h>
68 #include <netinet/ip.h>
69 #include <netinet/ip_var.h>
70 #include <netinet/in_var.h>
71 #include <netinet/in_proto.h>
72
73 #include <netinet/ip6.h>
74 #ifdef INET6
75 #include <netinet6/ip6_var.h>
76 #include <netinet6/ip6_private.h>
77 #include <netinet6/scope6_var.h>
78 #endif
79 #include <netinet/in_pcb.h>
80 #ifdef INET6
81 #include <netinet/icmp6.h>
82 #endif
83
84 #include <netipsec/ipsec.h>
85 #include <netipsec/ipsec_private.h>
86 #ifdef INET6
87 #include <netipsec/ipsec6.h>
88 #endif
89 #include <netipsec/ah_var.h>
90 #include <netipsec/esp.h>
91 #include <netipsec/esp_var.h>
92 #include <netipsec/ipcomp_var.h>
93
94 #include <netipsec/key.h>
95 #include <netipsec/keydb.h>
96
97 #include <netipsec/xform.h>
98 #include <netinet6/ip6protosw.h>
99
100 #include <netipsec/ipsec_osdep.h>
101
102 #include <net/net_osdep.h>
103
104 #define IPSEC_ISTAT(p, x, y, z) \
105 do { \
106 switch (p) { \
107 case IPPROTO_ESP: \
108 ESP_STATINC(x); \
109 break; \
110 case IPPROTO_AH: \
111 AH_STATINC(y); \
112 break; \
113 default: \
114 IPCOMP_STATINC(z); \
115 break; \
116 } \
117 } while (/*CONSTCOND*/0)
118
119 /*
120 * ipsec_common_input gets called when an IPsec-protected packet
121 * is received by IPv4 or IPv6. It's job is to find the right SA
122 # and call the appropriate transform. The transform callback
123 * takes care of further processing (like ingress filtering).
124 */
125 static int
ipsec_common_input(struct mbuf * m,int skip,int protoff,int af,int sproto)126 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
127 {
128 union sockaddr_union dst_address;
129 struct secasvar *sav;
130 u_int32_t spi;
131 u_int16_t sport;
132 u_int16_t dport;
133 int s, error;
134
135 IPSEC_ISTAT(sproto, ESP_STAT_INPUT, AH_STAT_INPUT,
136 IPCOMP_STAT_INPUT);
137
138 IPSEC_ASSERT(m != NULL, ("ipsec_common_input: null packet"));
139
140 if ((sproto == IPPROTO_ESP && !esp_enable) ||
141 (sproto == IPPROTO_AH && !ah_enable) ||
142 (sproto == IPPROTO_IPCOMP && !ipcomp_enable)) {
143 m_freem(m);
144 IPSEC_ISTAT(sproto, ESP_STAT_PDROPS, AH_STAT_PDROPS,
145 IPCOMP_STAT_PDROPS);
146 return EOPNOTSUPP;
147 }
148
149 if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) {
150 m_freem(m);
151 IPSEC_ISTAT(sproto, ESP_STAT_HDROPS, AH_STAT_HDROPS,
152 IPCOMP_STAT_HDROPS);
153 DPRINTF(("ipsec_common_input: packet too small\n"));
154 return EINVAL;
155 }
156
157 /* Retrieve the SPI from the relevant IPsec header */
158 if (sproto == IPPROTO_ESP)
159 m_copydata(m, skip, sizeof(u_int32_t), &spi);
160 else if (sproto == IPPROTO_AH)
161 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), &spi);
162 else if (sproto == IPPROTO_IPCOMP) {
163 u_int16_t cpi;
164 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t), &cpi);
165 spi = ntohl(htons(cpi));
166 } else {
167 panic("ipsec_common_input called with bad protocol number :"
168 "%d\n", sproto);
169 }
170
171
172 /* find the source port for NAT-T */
173 nat_t_ports_get(m, &dport, &sport);
174
175 /*
176 * Find the SA and (indirectly) call the appropriate
177 * kernel crypto routine. The resulting mbuf chain is a valid
178 * IP packet ready to go through input processing.
179 */
180 memset(&dst_address, 0, sizeof (dst_address));
181 dst_address.sa.sa_family = af;
182 switch (af) {
183 #ifdef INET
184 case AF_INET:
185 dst_address.sin.sin_len = sizeof(struct sockaddr_in);
186 m_copydata(m, offsetof(struct ip, ip_dst),
187 sizeof(struct in_addr),
188 &dst_address.sin.sin_addr);
189 break;
190 #endif /* INET */
191 #ifdef INET6
192 case AF_INET6:
193 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6);
194 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst),
195 sizeof(struct in6_addr),
196 &dst_address.sin6.sin6_addr);
197 if (sa6_recoverscope(&dst_address.sin6)) {
198 m_freem(m);
199 return EINVAL;
200 }
201 break;
202 #endif /* INET6 */
203 default:
204 DPRINTF(("ipsec_common_input: unsupported protocol "
205 "family %u\n", af));
206 m_freem(m);
207 IPSEC_ISTAT(sproto, ESP_STAT_NOPF, AH_STAT_NOPF,
208 IPCOMP_STAT_NOPF);
209 return EPFNOSUPPORT;
210 }
211
212 s = splsoftnet();
213
214 /* NB: only pass dst since key_allocsa follows RFC2401 */
215 sav = KEY_ALLOCSA(&dst_address, sproto, spi, sport, dport);
216 if (sav == NULL) {
217 DPRINTF(("ipsec_common_input: no key association found for"
218 " SA %s/%08lx/%u/%u\n",
219 ipsec_address(&dst_address),
220 (u_long) ntohl(spi), sproto, ntohs(dport)));
221 IPSEC_ISTAT(sproto, ESP_STAT_NOTDB, AH_STAT_NOTDB,
222 IPCOMP_STAT_NOTDB);
223 splx(s);
224 m_freem(m);
225 return ENOENT;
226 }
227
228 if (sav->tdb_xform == NULL) {
229 DPRINTF(("ipsec_common_input: attempted to use uninitialized"
230 " SA %s/%08lx/%u\n",
231 ipsec_address(&dst_address),
232 (u_long) ntohl(spi), sproto));
233 IPSEC_ISTAT(sproto, ESP_STAT_NOXFORM, AH_STAT_NOXFORM,
234 IPCOMP_STAT_NOXFORM);
235 KEY_FREESAV(&sav);
236 splx(s);
237 m_freem(m);
238 return ENXIO;
239 }
240
241 /*
242 * Call appropriate transform and return -- callback takes care of
243 * everything else.
244 */
245 error = (*sav->tdb_xform->xf_input)(m, sav, skip, protoff);
246 KEY_FREESAV(&sav);
247 splx(s);
248 return error;
249 }
250
251 #ifdef INET
252 /*
253 * Common input handler for IPv4 AH, ESP, and IPCOMP.
254 */
255 void
ipsec4_common_input(struct mbuf * m,...)256 ipsec4_common_input(struct mbuf *m, ...)
257 {
258 va_list ap;
259 int off, nxt;
260
261 va_start(ap, m);
262 off = va_arg(ap, int);
263 nxt = va_arg(ap, int);
264 va_end(ap);
265
266 (void) ipsec_common_input(m, off, offsetof(struct ip, ip_p),
267 AF_INET, nxt);
268 }
269
270 /*
271 * IPsec input callback for INET protocols.
272 * This routine is called as the transform callback.
273 * Takes care of filtering and other sanity checks on
274 * the processed packet.
275 */
276 int
ipsec4_common_input_cb(struct mbuf * m,struct secasvar * sav,int skip,int protoff,struct m_tag * mt)277 ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
278 int skip, int protoff, struct m_tag *mt)
279 {
280 int prot, af __diagused, sproto;
281 struct ip *ip;
282 struct m_tag *mtag;
283 struct tdb_ident *tdbi;
284 struct secasindex *saidx;
285 int error;
286
287 IPSEC_SPLASSERT_SOFTNET("ipsec4_common_input_cb");
288
289 IPSEC_ASSERT(m != NULL, ("ipsec4_common_input_cb: null mbuf"));
290 IPSEC_ASSERT(sav != NULL, ("ipsec4_common_input_cb: null SA"));
291 IPSEC_ASSERT(sav->sah != NULL, ("ipsec4_common_input_cb: null SAH"));
292 saidx = &sav->sah->saidx;
293 af = saidx->dst.sa.sa_family;
294 IPSEC_ASSERT(af == AF_INET, ("ipsec4_common_input_cb: unexpected af %u",af));
295 sproto = saidx->proto;
296 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
297 sproto == IPPROTO_IPCOMP,
298 ("ipsec4_common_input_cb: unexpected security protocol %u",
299 sproto));
300
301 /* Sanity check */
302 if (m == NULL) {
303 DPRINTF(("ipsec4_common_input_cb: null mbuf"));
304 IPSEC_ISTAT(sproto, ESP_STAT_BADKCR, AH_STAT_BADKCR,
305 IPCOMP_STAT_BADKCR);
306 KEY_FREESAV(&sav);
307 return EINVAL;
308 }
309
310 /* Fix IPv4 header */
311 if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) {
312 DPRINTF(("ipsec4_common_input_cb: processing failed "
313 "for SA %s/%08lx\n",
314 ipsec_address(&sav->sah->saidx.dst),
315 (u_long) ntohl(sav->spi)));
316 IPSEC_ISTAT(sproto, ESP_STAT_HDROPS, AH_STAT_HDROPS,
317 IPCOMP_STAT_HDROPS);
318 error = ENOBUFS;
319 goto bad;
320 }
321
322 ip = mtod(m, struct ip *);
323 ip->ip_len = htons(m->m_pkthdr.len);
324 prot = ip->ip_p;
325
326 /* IP-in-IP encapsulation */
327 if (prot == IPPROTO_IPIP) {
328 struct ip ipn;
329
330 /* ipn will now contain the inner IPv4 header */
331 m_copydata(m, ip->ip_hl << 2, sizeof(struct ip), &ipn);
332
333 #ifdef notyet
334 /* XXX PROXY address isn't recorded in SAH */
335 /*
336 * Check that the inner source address is the same as
337 * the proxy address, if available.
338 */
339 if ((saidx->proxy.sa.sa_family == AF_INET &&
340 saidx->proxy.sin.sin_addr.s_addr !=
341 INADDR_ANY &&
342 ipn.ip_src.s_addr !=
343 saidx->proxy.sin.sin_addr.s_addr) ||
344 (saidx->proxy.sa.sa_family != AF_INET &&
345 saidx->proxy.sa.sa_family != 0)) {
346
347 DPRINTF(("ipsec4_common_input_cb: inner "
348 "source address %s doesn't correspond to "
349 "expected proxy source %s, SA %s/%08lx\n",
350 inet_ntoa4(ipn.ip_src),
351 ipsp_address(saidx->proxy),
352 ipsp_address(saidx->dst),
353 (u_long) ntohl(sav->spi)));
354
355 IPSEC_ISTAT(sproto, ESP_STAT_PDROPS,
356 AH_STAT_PDROPS,
357 IPCOMP_STAT_PDROPS);
358 error = EACCES;
359 goto bad;
360 }
361 #endif /*XXX*/
362 }
363 #if INET6
364 /* IPv6-in-IP encapsulation. */
365 if (prot == IPPROTO_IPV6) {
366 struct ip6_hdr ip6n;
367
368 /* ip6n will now contain the inner IPv6 header. */
369 m_copydata(m, ip->ip_hl << 2, sizeof(struct ip6_hdr), &ip6n);
370
371 #ifdef notyet
372 /*
373 * Check that the inner source address is the same as
374 * the proxy address, if available.
375 */
376 if ((saidx->proxy.sa.sa_family == AF_INET6 &&
377 !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) &&
378 !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src,
379 &saidx->proxy.sin6.sin6_addr)) ||
380 (saidx->proxy.sa.sa_family != AF_INET6 &&
381 saidx->proxy.sa.sa_family != 0)) {
382
383 DPRINTF(("ipsec4_common_input_cb: inner "
384 "source address %s doesn't correspond to "
385 "expected proxy source %s, SA %s/%08lx\n",
386 ip6_sprintf(&ip6n.ip6_src),
387 ipsec_address(&saidx->proxy),
388 ipsec_address(&saidx->dst),
389 (u_long) ntohl(sav->spi)));
390
391 IPSEC_ISTAT(sproto, ESP_STAT_PDROPS,
392 AH_STAT_PDROPS,
393 IPCOMP_STAT_PDROPS);
394 error = EACCES;
395 goto bad;
396 }
397 #endif /*XXX*/
398 }
399 #endif /* INET6 */
400
401 /*
402 * Record what we've done to the packet (under what SA it was
403 * processed). If we've been passed an mtag, it means the packet
404 * was already processed by an ethernet/crypto combo card and
405 * thus has a tag attached with all the right information, but
406 * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to
407 * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type.
408 */
409 if (mt == NULL && sproto != IPPROTO_IPCOMP) {
410 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
411 sizeof(struct tdb_ident), M_NOWAIT);
412 if (mtag == NULL) {
413 DPRINTF(("ipsec4_common_input_cb: failed to get tag\n"));
414 IPSEC_ISTAT(sproto, ESP_STAT_HDROPS,
415 AH_STAT_HDROPS, IPCOMP_STAT_HDROPS);
416 error = ENOMEM;
417 goto bad;
418 }
419
420 tdbi = (struct tdb_ident *)(mtag + 1);
421 memcpy(&tdbi->dst, &saidx->dst, saidx->dst.sa.sa_len);
422 tdbi->proto = sproto;
423 tdbi->spi = sav->spi;
424
425 m_tag_prepend(m, mtag);
426 } else {
427 if (mt != NULL)
428 mt->m_tag_id = PACKET_TAG_IPSEC_IN_DONE;
429 /* XXX do we need to mark m_flags??? */
430 }
431
432 key_sa_recordxfer(sav, m); /* record data transfer */
433
434 if ((inetsw[ip_protox[prot]].pr_flags & PR_LASTHDR) != 0 &&
435 ipsec4_in_reject(m, NULL)) {
436 error = EINVAL;
437 goto bad;
438 }
439 (*inetsw[ip_protox[prot]].pr_input)(m, skip, prot);
440 return 0;
441 bad:
442 m_freem(m);
443 return error;
444 }
445 #endif /* INET */
446
447 #ifdef INET6
448 /* IPv6 AH wrapper. */
449 int
ipsec6_common_input(struct mbuf ** mp,int * offp,int proto)450 ipsec6_common_input(struct mbuf **mp, int *offp, int proto)
451 {
452 int l = 0;
453 int protoff, nxt;
454 struct ip6_ext ip6e;
455
456 if (*offp < sizeof(struct ip6_hdr)) {
457 DPRINTF(("ipsec6_common_input: bad offset %u\n", *offp));
458 IPSEC_ISTAT(proto, ESP_STAT_HDROPS, AH_STAT_HDROPS,
459 IPCOMP_STAT_HDROPS);
460 m_freem(*mp);
461 return IPPROTO_DONE;
462 } else if (*offp == sizeof(struct ip6_hdr)) {
463 protoff = offsetof(struct ip6_hdr, ip6_nxt);
464 } else {
465 /* Chase down the header chain... */
466 protoff = sizeof(struct ip6_hdr);
467 nxt = (mtod(*mp, struct ip6_hdr *))->ip6_nxt;
468
469 do {
470 protoff += l;
471 m_copydata(*mp, protoff, sizeof(ip6e), &ip6e);
472
473 if (nxt == IPPROTO_AH)
474 l = (ip6e.ip6e_len + 2) << 2;
475 else
476 l = (ip6e.ip6e_len + 1) << 3;
477 IPSEC_ASSERT(l > 0,
478 ("ipsec6_common_input: l went zero or negative"));
479
480 nxt = ip6e.ip6e_nxt;
481 } while (protoff + l < *offp);
482
483 /* Malformed packet check */
484 if (protoff + l != *offp) {
485 DPRINTF(("ipsec6_common_input: bad packet header chain, "
486 "protoff %u, l %u, off %u\n", protoff, l, *offp));
487 IPSEC_ISTAT(proto, ESP_STAT_HDROPS,
488 AH_STAT_HDROPS,
489 IPCOMP_STAT_HDROPS);
490 m_freem(*mp);
491 *mp = NULL;
492 return IPPROTO_DONE;
493 }
494 protoff += offsetof(struct ip6_ext, ip6e_nxt);
495 }
496 (void) ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto);
497 return IPPROTO_DONE;
498 }
499
500 /*
501 * NB: ipsec_netbsd.c has a duplicate definition of esp6_ctlinput(),
502 * with slightly ore recent multicast tests. These should be merged.
503 * For now, ifdef accordingly.
504 */
505 #ifdef __FreeBSD__
506 void
esp6_ctlinput(int cmd,struct sockaddr * sa,void * d)507 esp6_ctlinput(int cmd, struct sockaddr *sa, void *d)
508 {
509 if (sa->sa_family != AF_INET6 ||
510 sa->sa_len != sizeof(struct sockaddr_in6))
511 return;
512 if ((unsigned)cmd >= PRC_NCMDS)
513 return;
514
515 /* if the parameter is from icmp6, decode it. */
516 if (d != NULL) {
517 struct ip6ctlparam *ip6cp = (struct ip6ctlparam *)d;
518 struct mbuf *m = ip6cp->ip6c_m;
519 int off = ip6cp->ip6c_off;
520
521 struct ip6ctlparam ip6cp1;
522
523 /*
524 * Notify the error to all possible sockets via pfctlinput2.
525 * Since the upper layer information (such as protocol type,
526 * source and destination ports) is embedded in the encrypted
527 * data and might have been cut, we can't directly call
528 * an upper layer ctlinput function. However, the pcbnotify
529 * function will consider source and destination addresses
530 * as well as the flow info value, and may be able to find
531 * some PCB that should be notified.
532 * Although pfctlinput2 will call esp6_ctlinput(), there is
533 * no possibility of an infinite loop of function calls,
534 * because we don't pass the inner IPv6 header.
535 */
536 memset(&ip6cp1, 0, sizeof(ip6cp1));
537 ip6cp1.ip6c_src = ip6cp->ip6c_src;
538 pfctlinput2(cmd, sa, &ip6cp1);
539
540 /*
541 * Then go to special cases that need ESP header information.
542 * XXX: We assume that when ip6 is non NULL,
543 * M and OFF are valid.
544 */
545
546 if (cmd == PRC_MSGSIZE) {
547 struct secasvar *sav;
548 u_int32_t spi;
549 int valid;
550
551 /* check header length before using m_copydata */
552 if (m->m_pkthdr.len < off + sizeof (struct esp))
553 return;
554 m_copydata(m, off + offsetof(struct esp, esp_spi),
555 sizeof(u_int32_t), &spi);
556 /*
557 * Check to see if we have a valid SA corresponding to
558 * the address in the ICMP message payload.
559 */
560 sav = KEY_ALLOCSA((union sockaddr_union *)sa,
561 IPPROTO_ESP, spi);
562 valid = (sav != NULL);
563 if (sav)
564 KEY_FREESAV(&sav);
565
566 /* XXX Further validation? */
567
568 /*
569 * Depending on whether the SA is "valid" and
570 * routing table size (mtudisc_{hi,lo}wat), we will:
571 * - recalcurate the new MTU and create the
572 * corresponding routing entry, or
573 * - ignore the MTU change notification.
574 */
575 icmp6_mtudisc_update(ip6cp, valid);
576 }
577 } else {
578 /* we normally notify any pcb here */
579 }
580 }
581 #endif /* __FreeBSD__ */
582
583 extern const struct ip6protosw inet6sw[];
584 extern u_char ip6_protox[];
585
586 /*
587 * IPsec input callback, called by the transform callback. Takes care of
588 * filtering and other sanity checks on the processed packet.
589 */
590 int
ipsec6_common_input_cb(struct mbuf * m,struct secasvar * sav,int skip,int protoff,struct m_tag * mt)591 ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff,
592 struct m_tag *mt)
593 {
594 int af __diagused, sproto;
595 struct ip6_hdr *ip6;
596 struct m_tag *mtag;
597 struct tdb_ident *tdbi;
598 struct secasindex *saidx;
599 int nxt;
600 u_int8_t prot, nxt8;
601 int error, nest;
602
603 IPSEC_ASSERT(m != NULL, ("ipsec6_common_input_cb: null mbuf"));
604 IPSEC_ASSERT(sav != NULL, ("ipsec6_common_input_cb: null SA"));
605 IPSEC_ASSERT(sav->sah != NULL, ("ipsec6_common_input_cb: null SAH"));
606 saidx = &sav->sah->saidx;
607 af = saidx->dst.sa.sa_family;
608 IPSEC_ASSERT(af == AF_INET6,
609 ("ipsec6_common_input_cb: unexpected af %u", af));
610 sproto = saidx->proto;
611 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
612 sproto == IPPROTO_IPCOMP,
613 ("ipsec6_common_input_cb: unexpected security protocol %u",
614 sproto));
615
616 /* Sanity check */
617 if (m == NULL) {
618 DPRINTF(("ipsec6_common_input_cb: null mbuf"));
619 IPSEC_ISTAT(sproto, ESP_STAT_BADKCR, AH_STAT_BADKCR,
620 IPCOMP_STAT_BADKCR);
621 error = EINVAL;
622 goto bad;
623 }
624
625 /* Fix IPv6 header */
626 if (m->m_len < sizeof(struct ip6_hdr) &&
627 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
628
629 DPRINTF(("ipsec6_common_input_cb: processing failed "
630 "for SA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst),
631 (u_long) ntohl(sav->spi)));
632
633 IPSEC_ISTAT(sproto, ESP_STAT_HDROPS, AH_STAT_HDROPS,
634 IPCOMP_STAT_HDROPS);
635 error = EACCES;
636 goto bad;
637 }
638
639 ip6 = mtod(m, struct ip6_hdr *);
640 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
641
642 /* Save protocol */
643 m_copydata(m, protoff, 1, &prot);
644
645 #ifdef INET
646 /* IP-in-IP encapsulation */
647 if (prot == IPPROTO_IPIP) {
648 struct ip ipn;
649
650 /* ipn will now contain the inner IPv4 header */
651 m_copydata(m, skip, sizeof(struct ip), &ipn);
652
653 #ifdef notyet
654 /*
655 * Check that the inner source address is the same as
656 * the proxy address, if available.
657 */
658 if ((saidx->proxy.sa.sa_family == AF_INET &&
659 saidx->proxy.sin.sin_addr.s_addr != INADDR_ANY &&
660 ipn.ip_src.s_addr != saidx->proxy.sin.sin_addr.s_addr) ||
661 (saidx->proxy.sa.sa_family != AF_INET &&
662 saidx->proxy.sa.sa_family != 0)) {
663
664 DPRINTF(("ipsec6_common_input_cb: inner "
665 "source address %s doesn't correspond to "
666 "expected proxy source %s, SA %s/%08lx\n",
667 inet_ntoa4(ipn.ip_src),
668 ipsec_address(&saidx->proxy),
669 ipsec_address(&saidx->dst),
670 (u_long) ntohl(sav->spi)));
671
672 IPSEC_ISTAT(sproto, ESP_STAT_PDROPS,
673 AH_STAT_PDROPS, IPCOMP_STAT_PDROPS);
674 error = EACCES;
675 goto bad;
676 }
677 #endif /*XXX*/
678 }
679 #endif /* INET */
680
681 /* IPv6-in-IP encapsulation */
682 if (prot == IPPROTO_IPV6) {
683 struct ip6_hdr ip6n;
684
685 /* ip6n will now contain the inner IPv6 header. */
686 m_copydata(m, skip, sizeof(struct ip6_hdr), &ip6n);
687
688 #ifdef notyet
689 /*
690 * Check that the inner source address is the same as
691 * the proxy address, if available.
692 */
693 if ((saidx->proxy.sa.sa_family == AF_INET6 &&
694 !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) &&
695 !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src,
696 &saidx->proxy.sin6.sin6_addr)) ||
697 (saidx->proxy.sa.sa_family != AF_INET6 &&
698 saidx->proxy.sa.sa_family != 0)) {
699
700 DPRINTF(("ipsec6_common_input_cb: inner "
701 "source address %s doesn't correspond to "
702 "expected proxy source %s, SA %s/%08lx\n",
703 ip6_sprintf(&ip6n.ip6_src),
704 ipsec_address(&saidx->proxy),
705 ipsec_address(&saidx->dst),
706 (u_long) ntohl(sav->spi)));
707
708 IPSEC_ISTAT(sproto, ESP_STAT_PDROPS,
709 AH_STAT_PDROPS, IPCOMP_STAT_PDROPS);
710 error = EACCES;
711 goto bad;
712 }
713 #endif /*XXX*/
714 }
715
716 /*
717 * Record what we've done to the packet (under what SA it was
718 * processed). If we've been passed an mtag, it means the packet
719 * was already processed by an ethernet/crypto combo card and
720 * thus has a tag attached with all the right information, but
721 * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to
722 * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type.
723 */
724 if (mt == NULL && sproto != IPPROTO_IPCOMP) {
725 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
726 sizeof(struct tdb_ident), M_NOWAIT);
727 if (mtag == NULL) {
728 DPRINTF(("ipsec_common_input_cb: failed to "
729 "get tag\n"));
730 IPSEC_ISTAT(sproto, ESP_STAT_HDROPS,
731 AH_STAT_HDROPS, IPCOMP_STAT_HDROPS);
732 error = ENOMEM;
733 goto bad;
734 }
735
736 tdbi = (struct tdb_ident *)(mtag + 1);
737 memcpy(&tdbi->dst, &saidx->dst, sizeof(union sockaddr_union));
738 tdbi->proto = sproto;
739 tdbi->spi = sav->spi;
740
741 m_tag_prepend(m, mtag);
742 } else {
743 if (mt != NULL)
744 mt->m_tag_id = PACKET_TAG_IPSEC_IN_DONE;
745 /* XXX do we need to mark m_flags??? */
746 }
747
748 key_sa_recordxfer(sav, m);
749
750 /* Retrieve new protocol */
751 m_copydata(m, protoff, sizeof(u_int8_t), &nxt8);
752
753 /*
754 * See the end of ip6_input for this logic.
755 * IPPROTO_IPV[46] case will be processed just like other ones
756 */
757 nest = 0;
758 nxt = nxt8;
759 while (nxt != IPPROTO_DONE) {
760 if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) {
761 IP6_STATINC(IP6_STAT_TOOMANYHDR);
762 error = EINVAL;
763 goto bad;
764 }
765
766 /*
767 * Protection against faulty packet - there should be
768 * more sanity checks in header chain processing.
769 */
770 if (m->m_pkthdr.len < skip) {
771 IP6_STATINC(IP6_STAT_TOOSHORT);
772 in6_ifstat_inc(m_get_rcvif_NOMPSAFE(m),
773 ifs6_in_truncated);
774 error = EINVAL;
775 goto bad;
776 }
777 /*
778 * Enforce IPsec policy checking if we are seeing last header.
779 * note that we do not visit this with protocols with pcb layer
780 * code - like udp/tcp/raw ip.
781 */
782 if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
783 ipsec6_in_reject(m, NULL)) {
784 error = EINVAL;
785 goto bad;
786 }
787 nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &skip, nxt);
788 }
789 return 0;
790 bad:
791 if (m)
792 m_freem(m);
793 return error;
794 }
795 #endif /* INET6 */
796