1 /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */
2 /*-
3 * The authors of this code are John Ioannidis (ji@tla.org),
4 * Angelos D. Keromytis (kermit@csd.uch.gr) and
5 * Niels Provos (provos@physnet.uni-hamburg.de).
6 *
7 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
8 * in November 1995.
9 *
10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
11 * by Angelos D. Keromytis.
12 *
13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
14 * and Niels Provos.
15 *
16 * Additional features in 1999 by Angelos D. Keromytis.
17 *
18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
19 * Angelos D. Keromytis and Niels Provos.
20 * Copyright (c) 2001, Angelos D. Keromytis.
21 * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org>
22 *
23 * Permission to use, copy, and modify this software with or without fee
24 * is hereby granted, provided that this entire notice is included in
25 * all copies of any software which is or includes a copy or
26 * modification of this software.
27 * You may use this code under the GNU public license if you so wish. Please
28 * contribute changes back to the authors under this freer than GPL license
29 * so that we may further the use of strong encryption without limitations to
30 * all.
31 *
32 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
33 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
34 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
35 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
36 * PURPOSE.
37 */
38
39 /*
40 * IPsec input processing.
41 */
42
43 #include <sys/cdefs.h>
44 #include "opt_inet.h"
45 #include "opt_inet6.h"
46 #include "opt_ipsec.h"
47
48 #include <sys/param.h>
49 #include <sys/systm.h>
50 #include <sys/malloc.h>
51 #include <sys/mbuf.h>
52 #include <sys/domain.h>
53 #include <sys/protosw.h>
54 #include <sys/socket.h>
55 #include <sys/errno.h>
56 #include <sys/hhook.h>
57 #include <sys/syslog.h>
58
59 #include <net/if.h>
60 #include <net/if_var.h>
61 #include <net/if_enc.h>
62 #include <net/if_private.h>
63 #include <net/netisr.h>
64 #include <net/vnet.h>
65
66 #include <netinet/in.h>
67 #include <netinet/in_pcb.h>
68 #include <netinet/in_systm.h>
69 #include <netinet/ip.h>
70 #include <netinet/ip_var.h>
71 #include <netinet/ip_icmp.h>
72 #include <netinet/in_var.h>
73 #include <netinet/tcp_var.h>
74
75 #include <netinet/ip6.h>
76 #ifdef INET6
77 #include <netinet6/ip6_var.h>
78 #endif
79 #include <netinet/in_pcb.h>
80 #ifdef INET6
81 #include <netinet/icmp6.h>
82 #endif
83
84 #include <netipsec/ipsec.h>
85 #ifdef INET6
86 #include <netipsec/ipsec6.h>
87 #endif
88 #include <netipsec/ipsec_support.h>
89 #include <netipsec/ah_var.h>
90 #include <netipsec/esp.h>
91 #include <netipsec/esp_var.h>
92 #include <netipsec/ipcomp_var.h>
93
94 #include <netipsec/key.h>
95 #include <netipsec/keydb.h>
96 #include <netipsec/key_debug.h>
97
98 #include <netipsec/xform.h>
99
100 #include <machine/in_cksum.h>
101 #include <machine/stdarg.h>
102
103 #define IPSEC_ISTAT(proto, name) do { \
104 if ((proto) == IPPROTO_ESP) \
105 ESPSTAT_INC(esps_##name); \
106 else if ((proto) == IPPROTO_AH) \
107 AHSTAT_INC(ahs_##name); \
108 else \
109 IPCOMPSTAT_INC(ipcomps_##name); \
110 } while (0)
111
112 /*
113 * ipsec_common_input gets called when an IPsec-protected packet
114 * is received by IPv4 or IPv6. Its job is to find the right SA
115 * and call the appropriate transform. The transform callback
116 * takes care of further processing (like ingress filtering).
117 */
118 static int
ipsec_common_input(struct mbuf * m,int skip,int protoff,int af,int sproto)119 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
120 {
121 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
122 union sockaddr_union dst_address;
123 struct secasvar *sav;
124 uint32_t spi;
125 int error;
126
127 IPSEC_ISTAT(sproto, input);
128
129 IPSEC_ASSERT(m != NULL, ("null packet"));
130
131 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
132 sproto == IPPROTO_IPCOMP,
133 ("unexpected security protocol %u", sproto));
134
135 if ((sproto == IPPROTO_ESP && !V_esp_enable) ||
136 (sproto == IPPROTO_AH && !V_ah_enable) ||
137 (sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) {
138 m_freem(m);
139 IPSEC_ISTAT(sproto, pdrops);
140 return EOPNOTSUPP;
141 }
142
143 if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) {
144 m_freem(m);
145 IPSEC_ISTAT(sproto, hdrops);
146 DPRINTF(("%s: packet too small\n", __func__));
147 return EINVAL;
148 }
149
150 /* Retrieve the SPI from the relevant IPsec header */
151 if (sproto == IPPROTO_ESP)
152 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi);
153 else if (sproto == IPPROTO_AH)
154 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t),
155 (caddr_t) &spi);
156 else if (sproto == IPPROTO_IPCOMP) {
157 u_int16_t cpi;
158 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t),
159 (caddr_t) &cpi);
160 spi = ntohl(htons(cpi));
161 }
162
163 /*
164 * Find the SA and (indirectly) call the appropriate
165 * kernel crypto routine. The resulting mbuf chain is a valid
166 * IP packet ready to go through input processing.
167 */
168 bzero(&dst_address, sizeof (dst_address));
169 dst_address.sa.sa_family = af;
170 switch (af) {
171 #ifdef INET
172 case AF_INET:
173 dst_address.sin.sin_len = sizeof(struct sockaddr_in);
174 m_copydata(m, offsetof(struct ip, ip_dst),
175 sizeof(struct in_addr),
176 (caddr_t) &dst_address.sin.sin_addr);
177 break;
178 #endif /* INET */
179 #ifdef INET6
180 case AF_INET6:
181 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6);
182 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst),
183 sizeof(struct in6_addr),
184 (caddr_t) &dst_address.sin6.sin6_addr);
185 /* We keep addresses in SADB without embedded scope id */
186 if (IN6_IS_SCOPE_LINKLOCAL(&dst_address.sin6.sin6_addr)) {
187 /* XXX: sa6_recoverscope() */
188 dst_address.sin6.sin6_scope_id =
189 ntohs(dst_address.sin6.sin6_addr.s6_addr16[1]);
190 dst_address.sin6.sin6_addr.s6_addr16[1] = 0;
191 }
192 break;
193 #endif /* INET6 */
194 default:
195 DPRINTF(("%s: unsupported protocol family %u\n", __func__, af));
196 m_freem(m);
197 IPSEC_ISTAT(sproto, nopf);
198 return EPFNOSUPPORT;
199 }
200
201 /* NB: only pass dst since key_allocsa follows RFC2401 */
202 sav = key_allocsa(&dst_address, sproto, spi);
203 if (sav == NULL) {
204 DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n",
205 __func__, ipsec_address(&dst_address, buf, sizeof(buf)),
206 (u_long) ntohl(spi), sproto));
207 IPSEC_ISTAT(sproto, notdb);
208 m_freem(m);
209 return ENOENT;
210 }
211
212 if (sav->tdb_xform == NULL) {
213 DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n",
214 __func__, ipsec_address(&dst_address, buf, sizeof(buf)),
215 (u_long) ntohl(spi), sproto));
216 IPSEC_ISTAT(sproto, noxform);
217 key_freesav(&sav);
218 m_freem(m);
219 return ENXIO;
220 }
221
222 /*
223 * Call appropriate transform and return -- callback takes care of
224 * everything else.
225 */
226 error = (*sav->tdb_xform->xf_input)(m, sav, skip, protoff);
227 return (error);
228 }
229
230 #ifdef INET
231 /*
232 * IPSEC_INPUT() method implementation for IPv4.
233 * 0 - Permitted by inbound security policy for further processing.
234 * EACCES - Forbidden by inbound security policy.
235 * EINPROGRESS - consumed by IPsec.
236 */
237 int
ipsec4_input(struct mbuf * m,int offset,int proto)238 ipsec4_input(struct mbuf *m, int offset, int proto)
239 {
240
241 switch (proto) {
242 case IPPROTO_AH:
243 case IPPROTO_ESP:
244 case IPPROTO_IPCOMP:
245 /* Do inbound IPsec processing for AH/ESP/IPCOMP */
246 ipsec_common_input(m, offset,
247 offsetof(struct ip, ip_p), AF_INET, proto);
248 return (EINPROGRESS); /* mbuf consumed by IPsec */
249 default:
250 /*
251 * Protocols with further headers get their IPsec treatment
252 * within the protocol specific processing.
253 */
254 switch (proto) {
255 case IPPROTO_ICMP:
256 case IPPROTO_IGMP:
257 case IPPROTO_IPV4:
258 case IPPROTO_IPV6:
259 case IPPROTO_RSVP:
260 case IPPROTO_GRE:
261 case IPPROTO_MOBILE:
262 case IPPROTO_ETHERIP:
263 case IPPROTO_PIM:
264 case IPPROTO_SCTP:
265 break;
266 default:
267 return (0);
268 }
269 };
270 /*
271 * Enforce IPsec policy checking if we are seeing last header.
272 */
273 if (ipsec4_in_reject(m, NULL) != 0) {
274 /* Forbidden by inbound security policy */
275 m_freem(m);
276 return (EACCES);
277 }
278 return (0);
279 }
280
281 int
ipsec4_ctlinput(ipsec_ctlinput_param_t param)282 ipsec4_ctlinput(ipsec_ctlinput_param_t param)
283 {
284 struct icmp *icp = param.icmp;
285 struct ip *ip = &icp->icmp_ip;
286 struct sockaddr_in icmpsrc = {
287 .sin_len = sizeof(struct sockaddr_in),
288 .sin_family = AF_INET,
289 .sin_addr = ip->ip_dst,
290 };
291 struct in_conninfo inc;
292 struct secasvar *sav;
293 uint32_t pmtu, spi;
294 uint32_t max_pmtu;
295 uint8_t proto;
296
297 pmtu = ntohs(icp->icmp_nextmtu);
298
299 if (pmtu < V_ip4_ipsec_min_pmtu)
300 return (EINVAL);
301
302 proto = ip->ip_p;
303 if (proto != IPPROTO_ESP && proto != IPPROTO_AH &&
304 proto != IPPROTO_IPCOMP)
305 return (EINVAL);
306
307 memcpy(&spi, (caddr_t)ip + (ip->ip_hl << 2), sizeof(spi));
308 sav = key_allocsa((union sockaddr_union *)&icmpsrc, proto, spi);
309 if (sav == NULL)
310 return (ENOENT);
311
312 key_freesav(&sav);
313
314 memset(&inc, 0, sizeof(inc));
315 inc.inc_faddr = ip->ip_dst;
316
317 /* Update pmtu only if its smaller than the current one. */
318 max_pmtu = tcp_hc_getmtu(&inc);
319 if (max_pmtu == 0)
320 max_pmtu = tcp_maxmtu(&inc, NULL);
321
322 if (pmtu < max_pmtu)
323 tcp_hc_updatemtu(&inc, pmtu);
324
325 return (0);
326 }
327
328 /*
329 * IPsec input callback for INET protocols.
330 * This routine is called as the transform callback.
331 * Takes care of filtering and other sanity checks on
332 * the processed packet.
333 */
334 int
ipsec4_common_input_cb(struct mbuf * m,struct secasvar * sav,int skip,int protoff)335 ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
336 int protoff)
337 {
338 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
339 struct epoch_tracker et;
340 struct ipsec_ctx_data ctx;
341 struct xform_history *xh;
342 struct secasindex *saidx;
343 struct m_tag *mtag;
344 struct ip *ip;
345 int error, prot, af, sproto, isr_prot;
346
347 IPSEC_ASSERT(sav != NULL, ("null SA"));
348 IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
349 saidx = &sav->sah->saidx;
350 af = saidx->dst.sa.sa_family;
351 IPSEC_ASSERT(af == AF_INET, ("unexpected af %u", af));
352 sproto = saidx->proto;
353 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
354 sproto == IPPROTO_IPCOMP,
355 ("unexpected security protocol %u", sproto));
356
357 if (skip != 0) {
358 /*
359 * Fix IPv4 header
360 */
361 if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) {
362 DPRINTF(("%s: processing failed for SA %s/%08lx\n",
363 __func__, ipsec_address(&sav->sah->saidx.dst,
364 buf, sizeof(buf)), (u_long) ntohl(sav->spi)));
365 IPSEC_ISTAT(sproto, hdrops);
366 error = ENOBUFS;
367 goto bad_noepoch;
368 }
369
370 ip = mtod(m, struct ip *);
371 ip->ip_len = htons(m->m_pkthdr.len);
372 ip->ip_sum = 0;
373 ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
374 } else {
375 ip = mtod(m, struct ip *);
376 }
377 prot = ip->ip_p;
378 /*
379 * Check that we have NAT-T enabled and apply transport mode
380 * decapsulation NAT procedure (RFC3948).
381 * Do this before invoking into the PFIL.
382 */
383 if (sav->natt != NULL &&
384 (prot == IPPROTO_UDP || prot == IPPROTO_TCP))
385 udp_ipsec_adjust_cksum(m, sav, prot, skip);
386
387 /*
388 * Needed for ipsec_run_hooks and netisr_queue_src
389 */
390 NET_EPOCH_ENTER(et);
391
392 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, AF_INET, IPSEC_ENC_BEFORE);
393 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
394 goto bad;
395 ip = mtod(m, struct ip *); /* update pointer */
396
397 /* IP-in-IP encapsulation */
398 if (prot == IPPROTO_IPIP &&
399 saidx->mode != IPSEC_MODE_TRANSPORT) {
400 if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
401 IPSEC_ISTAT(sproto, hdrops);
402 error = EINVAL;
403 goto bad;
404 }
405 /* enc0: strip outer IPv4 header */
406 m_striphdr(m, 0, ip->ip_hl << 2);
407 }
408 #ifdef INET6
409 /* IPv6-in-IP encapsulation. */
410 else if (prot == IPPROTO_IPV6 &&
411 saidx->mode != IPSEC_MODE_TRANSPORT) {
412 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
413 IPSEC_ISTAT(sproto, hdrops);
414 error = EINVAL;
415 goto bad;
416 }
417 /* enc0: strip IPv4 header, keep IPv6 header only */
418 m_striphdr(m, 0, ip->ip_hl << 2);
419 }
420 #endif /* INET6 */
421 else if (prot != IPPROTO_IPV6 && saidx->mode == IPSEC_MODE_ANY) {
422 /*
423 * When mode is wildcard, inner protocol is IPv6 and
424 * we have no INET6 support - drop this packet a bit later.
425 * In other cases we assume transport mode. Set prot to
426 * correctly choose netisr.
427 */
428 prot = IPPROTO_IPIP;
429 }
430
431 /*
432 * Record what we've done to the packet (under what SA it was
433 * processed).
434 */
435 if (sproto != IPPROTO_IPCOMP) {
436 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
437 sizeof(struct xform_history), M_NOWAIT);
438 if (mtag == NULL) {
439 DPRINTF(("%s: failed to get tag\n", __func__));
440 IPSEC_ISTAT(sproto, hdrops);
441 error = ENOMEM;
442 goto bad;
443 }
444
445 xh = (struct xform_history *)(mtag + 1);
446 bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len);
447 xh->spi = sav->spi;
448 xh->proto = sproto;
449 xh->mode = saidx->mode;
450 m_tag_prepend(m, mtag);
451 }
452
453 key_sa_recordxfer(sav, m); /* record data transfer */
454
455 /*
456 * In transport mode requeue decrypted mbuf back to IPv4 protocol
457 * handler. This is necessary to correctly expose rcvif.
458 */
459 if (saidx->mode == IPSEC_MODE_TRANSPORT)
460 prot = IPPROTO_IPIP;
461 /*
462 * Re-dispatch via software interrupt.
463 */
464 switch (prot) {
465 case IPPROTO_IPIP:
466 isr_prot = NETISR_IP;
467 af = AF_INET;
468 break;
469 #ifdef INET6
470 case IPPROTO_IPV6:
471 isr_prot = NETISR_IPV6;
472 af = AF_INET6;
473 break;
474 #endif
475 default:
476 DPRINTF(("%s: cannot handle inner ip proto %d\n",
477 __func__, prot));
478 IPSEC_ISTAT(sproto, nopf);
479 error = EPFNOSUPPORT;
480 goto bad;
481 }
482
483 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER);
484 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
485 goto bad;
486
487 /* Handle virtual tunneling interfaces */
488 if (saidx->mode == IPSEC_MODE_TUNNEL)
489 error = ipsec_if_input(m, sav, af);
490 if (error == 0) {
491 error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m);
492 if (error) {
493 IPSEC_ISTAT(sproto, qfull);
494 DPRINTF(("%s: queue full; proto %u packet dropped\n",
495 __func__, sproto));
496 }
497 }
498 NET_EPOCH_EXIT(et);
499 key_freesav(&sav);
500 return (error);
501 bad:
502 NET_EPOCH_EXIT(et);
503 bad_noepoch:
504 key_freesav(&sav);
505 if (m != NULL)
506 m_freem(m);
507 return (error);
508 }
509 #endif /* INET */
510
511 #ifdef INET6
512 static bool
ipsec6_lasthdr(int proto)513 ipsec6_lasthdr(int proto)
514 {
515
516 switch (proto) {
517 case IPPROTO_IPV4:
518 case IPPROTO_IPV6:
519 case IPPROTO_GRE:
520 case IPPROTO_ICMPV6:
521 case IPPROTO_ETHERIP:
522 case IPPROTO_PIM:
523 case IPPROTO_SCTP:
524 return (true);
525 default:
526 return (false);
527 };
528 }
529
530 /*
531 * IPSEC_INPUT() method implementation for IPv6.
532 * 0 - Permitted by inbound security policy for further processing.
533 * EACCES - Forbidden by inbound security policy.
534 * EINPROGRESS - consumed by IPsec.
535 */
536 int
ipsec6_input(struct mbuf * m,int offset,int proto)537 ipsec6_input(struct mbuf *m, int offset, int proto)
538 {
539
540 switch (proto) {
541 case IPPROTO_AH:
542 case IPPROTO_ESP:
543 case IPPROTO_IPCOMP:
544 /* Do inbound IPsec processing for AH/ESP/IPCOMP */
545 ipsec_common_input(m, offset,
546 offsetof(struct ip6_hdr, ip6_nxt), AF_INET6, proto);
547 return (EINPROGRESS); /* mbuf consumed by IPsec */
548 default:
549 /*
550 * Protocols with further headers get their IPsec treatment
551 * within the protocol specific processing.
552 */
553 if (!ipsec6_lasthdr(proto))
554 return (0);
555 /* FALLTHROUGH */
556 };
557 /*
558 * Enforce IPsec policy checking if we are seeing last header.
559 */
560 if (ipsec6_in_reject(m, NULL) != 0) {
561 /* Forbidden by inbound security policy */
562 m_freem(m);
563 return (EACCES);
564 }
565 return (0);
566 }
567
568 int
ipsec6_ctlinput(ipsec_ctlinput_param_t param)569 ipsec6_ctlinput(ipsec_ctlinput_param_t param)
570 {
571 return (0);
572 }
573
574 extern ipproto_input_t *ip6_protox[];
575
576 /*
577 * IPsec input callback, called by the transform callback. Takes care of
578 * filtering and other sanity checks on the processed packet.
579 */
580 int
ipsec6_common_input_cb(struct mbuf * m,struct secasvar * sav,int skip,int protoff)581 ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
582 int protoff)
583 {
584 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
585 struct epoch_tracker et;
586 struct ipsec_ctx_data ctx;
587 struct xform_history *xh;
588 struct secasindex *saidx;
589 struct ip6_hdr *ip6;
590 struct m_tag *mtag;
591 int prot, af, sproto;
592 int nxt, isr_prot;
593 int error, nest;
594 uint8_t nxt8;
595
596 IPSEC_ASSERT(sav != NULL, ("null SA"));
597 IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
598 saidx = &sav->sah->saidx;
599 af = saidx->dst.sa.sa_family;
600 IPSEC_ASSERT(af == AF_INET6, ("unexpected af %u", af));
601 sproto = saidx->proto;
602 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
603 sproto == IPPROTO_IPCOMP,
604 ("unexpected security protocol %u", sproto));
605
606 NET_EPOCH_ENTER(et);
607
608 /* Fix IPv6 header */
609 if (m->m_len < sizeof(struct ip6_hdr) &&
610 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
611 DPRINTF(("%s: processing failed for SA %s/%08lx\n",
612 __func__, ipsec_address(&sav->sah->saidx.dst, buf,
613 sizeof(buf)), (u_long) ntohl(sav->spi)));
614
615 IPSEC_ISTAT(sproto, hdrops);
616 error = EACCES;
617 goto bad;
618 }
619
620 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_BEFORE);
621 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
622 goto bad;
623
624 ip6 = mtod(m, struct ip6_hdr *);
625 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
626
627 /* Save protocol */
628 m_copydata(m, protoff, 1, &nxt8);
629 prot = nxt8;
630
631 /*
632 * Check that we have NAT-T enabled and apply transport mode
633 * decapsulation NAT procedure (RFC3948).
634 * Do this before invoking into the PFIL.
635 */
636 if (sav->natt != NULL &&
637 (prot == IPPROTO_UDP || prot == IPPROTO_TCP))
638 udp_ipsec_adjust_cksum(m, sav, prot, skip);
639
640 /* IPv6-in-IP encapsulation */
641 if (prot == IPPROTO_IPV6 &&
642 saidx->mode != IPSEC_MODE_TRANSPORT) {
643 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
644 IPSEC_ISTAT(sproto, hdrops);
645 error = EINVAL;
646 goto bad;
647 }
648 /* ip6n will now contain the inner IPv6 header. */
649 m_striphdr(m, 0, skip);
650 skip = 0;
651 }
652 #ifdef INET
653 /* IP-in-IP encapsulation */
654 else if (prot == IPPROTO_IPIP &&
655 saidx->mode != IPSEC_MODE_TRANSPORT) {
656 if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
657 IPSEC_ISTAT(sproto, hdrops);
658 error = EINVAL;
659 goto bad;
660 }
661 /* ipn will now contain the inner IPv4 header */
662 m_striphdr(m, 0, skip);
663 skip = 0;
664 }
665 #endif /* INET */
666 else {
667 prot = IPPROTO_IPV6; /* for correct BPF processing */
668 }
669
670 /*
671 * Record what we've done to the packet (under what SA it was
672 * processed).
673 */
674 if (sproto != IPPROTO_IPCOMP) {
675 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
676 sizeof(struct xform_history), M_NOWAIT);
677 if (mtag == NULL) {
678 DPRINTF(("%s: failed to get tag\n", __func__));
679 IPSEC_ISTAT(sproto, hdrops);
680 error = ENOMEM;
681 goto bad;
682 }
683
684 xh = (struct xform_history *)(mtag + 1);
685 bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len);
686 xh->spi = sav->spi;
687 xh->proto = sproto;
688 xh->mode = saidx->mode;
689 m_tag_prepend(m, mtag);
690 }
691
692 key_sa_recordxfer(sav, m);
693
694 #ifdef INET
695 if (prot == IPPROTO_IPIP)
696 af = AF_INET;
697 else
698 #endif
699 af = AF_INET6;
700 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER);
701 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
702 goto bad;
703 if (skip == 0) {
704 /*
705 * We stripped outer IPv6 header.
706 * Now we should requeue decrypted packet via netisr.
707 */
708 switch (prot) {
709 #ifdef INET
710 case IPPROTO_IPIP:
711 isr_prot = NETISR_IP;
712 break;
713 #endif
714 case IPPROTO_IPV6:
715 isr_prot = NETISR_IPV6;
716 break;
717 default:
718 DPRINTF(("%s: cannot handle inner ip proto %d\n",
719 __func__, prot));
720 IPSEC_ISTAT(sproto, nopf);
721 error = EPFNOSUPPORT;
722 goto bad;
723 }
724 /* Handle virtual tunneling interfaces */
725 if (saidx->mode == IPSEC_MODE_TUNNEL)
726 error = ipsec_if_input(m, sav, af);
727 if (error == 0) {
728 error = netisr_queue_src(isr_prot,
729 (uintptr_t)sav->spi, m);
730 if (error) {
731 IPSEC_ISTAT(sproto, qfull);
732 DPRINTF(("%s: queue full; proto %u packet"
733 " dropped\n", __func__, sproto));
734 }
735 }
736 NET_EPOCH_EXIT(et);
737 key_freesav(&sav);
738 return (error);
739 }
740 /*
741 * See the end of ip6_input for this logic.
742 * IPPROTO_IPV[46] case will be processed just like other ones
743 */
744 nest = 0;
745 nxt = nxt8;
746 while (nxt != IPPROTO_DONE) {
747 if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) {
748 IP6STAT_INC(ip6s_toomanyhdr);
749 error = EINVAL;
750 goto bad;
751 }
752
753 /*
754 * Protection against faulty packet - there should be
755 * more sanity checks in header chain processing.
756 */
757 if (m->m_pkthdr.len < skip) {
758 IP6STAT_INC(ip6s_tooshort);
759 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
760 error = EINVAL;
761 goto bad;
762 }
763 /*
764 * Enforce IPsec policy checking if we are seeing last header.
765 * note that we do not visit this with protocols with pcb layer
766 * code - like udp/tcp/raw ip.
767 */
768 if (ipsec6_lasthdr(nxt) && ipsec6_in_reject(m, NULL)) {
769 error = EINVAL;
770 goto bad;
771 }
772 nxt = ip6_protox[nxt](&m, &skip, nxt);
773 }
774 NET_EPOCH_EXIT(et);
775 key_freesav(&sav);
776 return (0);
777 bad:
778 NET_EPOCH_EXIT(et);
779 key_freesav(&sav);
780 if (m)
781 m_freem(m);
782 return (error);
783 }
784 #endif /* INET6 */
785