ipsec_input.c (249294) | ipsec_input.c (252028) |
---|---|
1/* $FreeBSD: head/sys/netipsec/ipsec_input.c 249294 2013-04-09 07:11:22Z ae $ */ | 1/* $FreeBSD: head/sys/netipsec/ipsec_input.c 252028 2013-06-20 11:44:16Z ae $ */ |
2/* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ 3/*- 4 * The authors of this code are John Ioannidis (ji@tla.org), 5 * Angelos D. Keromytis (kermit@csd.uch.gr) and 6 * Niels Provos (provos@physnet.uni-hamburg.de). 7 * 8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 9 * in November 1995. --- 84 unchanged lines hidden (view full) --- 94#include <machine/in_cksum.h> 95#include <machine/stdarg.h> 96 97#ifdef DEV_ENC 98#include <net/if_enc.h> 99#endif 100 101 | 2/* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ 3/*- 4 * The authors of this code are John Ioannidis (ji@tla.org), 5 * Angelos D. Keromytis (kermit@csd.uch.gr) and 6 * Niels Provos (provos@physnet.uni-hamburg.de). 7 * 8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 9 * in November 1995. --- 84 unchanged lines hidden (view full) --- 94#include <machine/in_cksum.h> 95#include <machine/stdarg.h> 96 97#ifdef DEV_ENC 98#include <net/if_enc.h> 99#endif 100 101 |
102#define IPSEC_ISTAT(p,x,y,z) ((p) == IPPROTO_ESP ? (x)++ : \ 103 (p) == IPPROTO_AH ? (y)++ : (z)++) | 102#define IPSEC_ISTAT(proto, name) do { \ 103 if ((proto) == IPPROTO_ESP) \ 104 ESPSTAT_INC(esps_##name); \ 105 else if ((proto) == IPPROTO_AH) \ 106 AHSTAT_INC(ahs_##name); \ 107 else \ 108 IPCOMPSTAT_INC(ipcomps_##name); \ 109} while (0) |
104 105#ifdef INET 106static void ipsec4_common_ctlinput(int, struct sockaddr *, void *, int); 107#endif 108 109/* 110 * ipsec_common_input gets called when an IPsec-protected packet 111 * is received by IPv4 or IPv6. Its job is to find the right SA --- 8 unchanged lines hidden (view full) --- 120 u_int32_t spi; 121 int error; 122#ifdef INET 123#ifdef IPSEC_NAT_T 124 struct m_tag *tag; 125#endif 126#endif 127 | 110 111#ifdef INET 112static void ipsec4_common_ctlinput(int, struct sockaddr *, void *, int); 113#endif 114 115/* 116 * ipsec_common_input gets called when an IPsec-protected packet 117 * is received by IPv4 or IPv6. Its job is to find the right SA --- 8 unchanged lines hidden (view full) --- 126 u_int32_t spi; 127 int error; 128#ifdef INET 129#ifdef IPSEC_NAT_T 130 struct m_tag *tag; 131#endif 132#endif 133 |
128 IPSEC_ISTAT(sproto, V_espstat.esps_input, V_ahstat.ahs_input, 129 V_ipcompstat.ipcomps_input); | 134 IPSEC_ISTAT(sproto, input); |
130 131 IPSEC_ASSERT(m != NULL, ("null packet")); 132 133 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 134 sproto == IPPROTO_IPCOMP, 135 ("unexpected security protocol %u", sproto)); 136 137 if ((sproto == IPPROTO_ESP && !V_esp_enable) || 138 (sproto == IPPROTO_AH && !V_ah_enable) || 139 (sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) { 140 m_freem(m); | 135 136 IPSEC_ASSERT(m != NULL, ("null packet")); 137 138 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 139 sproto == IPPROTO_IPCOMP, 140 ("unexpected security protocol %u", sproto)); 141 142 if ((sproto == IPPROTO_ESP && !V_esp_enable) || 143 (sproto == IPPROTO_AH && !V_ah_enable) || 144 (sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) { 145 m_freem(m); |
141 IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, V_ahstat.ahs_pdrops, 142 V_ipcompstat.ipcomps_pdrops); | 146 IPSEC_ISTAT(sproto, pdrops); |
143 return EOPNOTSUPP; 144 } 145 146 if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) { 147 m_freem(m); | 147 return EOPNOTSUPP; 148 } 149 150 if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) { 151 m_freem(m); |
148 IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, 149 V_ipcompstat.ipcomps_hdrops); | 152 IPSEC_ISTAT(sproto, hdrops); |
150 DPRINTF(("%s: packet too small\n", __func__)); 151 return EINVAL; 152 } 153 154 /* Retrieve the SPI from the relevant IPsec header */ 155 if (sproto == IPPROTO_ESP) 156 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi); 157 else if (sproto == IPPROTO_AH) --- 34 unchanged lines hidden (view full) --- 192 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 193 sizeof(struct in6_addr), 194 (caddr_t) &dst_address.sin6.sin6_addr); 195 break; 196#endif /* INET6 */ 197 default: 198 DPRINTF(("%s: unsupported protocol family %u\n", __func__, af)); 199 m_freem(m); | 153 DPRINTF(("%s: packet too small\n", __func__)); 154 return EINVAL; 155 } 156 157 /* Retrieve the SPI from the relevant IPsec header */ 158 if (sproto == IPPROTO_ESP) 159 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi); 160 else if (sproto == IPPROTO_AH) --- 34 unchanged lines hidden (view full) --- 195 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 196 sizeof(struct in6_addr), 197 (caddr_t) &dst_address.sin6.sin6_addr); 198 break; 199#endif /* INET6 */ 200 default: 201 DPRINTF(("%s: unsupported protocol family %u\n", __func__, af)); 202 m_freem(m); |
200 IPSEC_ISTAT(sproto, V_espstat.esps_nopf, V_ahstat.ahs_nopf, 201 V_ipcompstat.ipcomps_nopf); | 203 IPSEC_ISTAT(sproto, nopf); |
202 return EPFNOSUPPORT; 203 } 204 205 /* NB: only pass dst since key_allocsa follows RFC2401 */ 206 sav = KEY_ALLOCSA(&dst_address, sproto, spi); 207 if (sav == NULL) { 208 DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n", 209 __func__, ipsec_address(&dst_address), 210 (u_long) ntohl(spi), sproto)); | 204 return EPFNOSUPPORT; 205 } 206 207 /* NB: only pass dst since key_allocsa follows RFC2401 */ 208 sav = KEY_ALLOCSA(&dst_address, sproto, spi); 209 if (sav == NULL) { 210 DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n", 211 __func__, ipsec_address(&dst_address), 212 (u_long) ntohl(spi), sproto)); |
211 IPSEC_ISTAT(sproto, V_espstat.esps_notdb, V_ahstat.ahs_notdb, 212 V_ipcompstat.ipcomps_notdb); | 213 IPSEC_ISTAT(sproto, notdb); |
213 m_freem(m); 214 return ENOENT; 215 } 216 217 if (sav->tdb_xform == NULL) { 218 DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n", 219 __func__, ipsec_address(&dst_address), 220 (u_long) ntohl(spi), sproto)); | 214 m_freem(m); 215 return ENOENT; 216 } 217 218 if (sav->tdb_xform == NULL) { 219 DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n", 220 __func__, ipsec_address(&dst_address), 221 (u_long) ntohl(spi), sproto)); |
221 IPSEC_ISTAT(sproto, V_espstat.esps_noxform, V_ahstat.ahs_noxform, 222 V_ipcompstat.ipcomps_noxform); | 222 IPSEC_ISTAT(sproto, noxform); |
223 KEY_FREESAV(&sav); 224 m_freem(m); 225 return ENXIO; 226 } 227 228 /* 229 * Call appropriate transform and return -- callback takes care of 230 * everything else. --- 85 unchanged lines hidden (view full) --- 316 sproto = saidx->proto; 317 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 318 sproto == IPPROTO_IPCOMP, 319 ("unexpected security protocol %u", sproto)); 320 321 /* Sanity check */ 322 if (m == NULL) { 323 DPRINTF(("%s: null mbuf", __func__)); | 223 KEY_FREESAV(&sav); 224 m_freem(m); 225 return ENXIO; 226 } 227 228 /* 229 * Call appropriate transform and return -- callback takes care of 230 * everything else. --- 85 unchanged lines hidden (view full) --- 316 sproto = saidx->proto; 317 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 318 sproto == IPPROTO_IPCOMP, 319 ("unexpected security protocol %u", sproto)); 320 321 /* Sanity check */ 322 if (m == NULL) { 323 DPRINTF(("%s: null mbuf", __func__)); |
324 IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr, 325 V_ipcompstat.ipcomps_badkcr); | 324 IPSEC_ISTAT(sproto, badkcr); |
326 KEY_FREESAV(&sav); 327 return EINVAL; 328 } 329 330 if (skip != 0) { 331 /* 332 * Fix IPv4 header 333 * XXXGL: do we need this entire block? 334 */ 335 if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) { 336 DPRINTF(("%s: processing failed for SA %s/%08lx\n", 337 __func__, ipsec_address(&sav->sah->saidx.dst), 338 (u_long) ntohl(sav->spi))); | 325 KEY_FREESAV(&sav); 326 return EINVAL; 327 } 328 329 if (skip != 0) { 330 /* 331 * Fix IPv4 header 332 * XXXGL: do we need this entire block? 333 */ 334 if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) { 335 DPRINTF(("%s: processing failed for SA %s/%08lx\n", 336 __func__, ipsec_address(&sav->sah->saidx.dst), 337 (u_long) ntohl(sav->spi))); |
339 IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, 340 V_ipcompstat.ipcomps_hdrops); | 338 IPSEC_ISTAT(sproto, hdrops); |
341 error = ENOBUFS; 342 goto bad; 343 } 344 345 ip = mtod(m, struct ip *); 346 ip->ip_len = htons(m->m_pkthdr.len); 347 ip->ip_sum = 0; 348 ip->ip_sum = in_cksum(m, ip->ip_hl << 2); 349 } else { 350 ip = mtod(m, struct ip *); 351 } 352 prot = ip->ip_p; 353 354#ifdef notyet 355 /* IP-in-IP encapsulation */ 356 if (prot == IPPROTO_IPIP) { 357 struct ip ipn; 358 359 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { | 339 error = ENOBUFS; 340 goto bad; 341 } 342 343 ip = mtod(m, struct ip *); 344 ip->ip_len = htons(m->m_pkthdr.len); 345 ip->ip_sum = 0; 346 ip->ip_sum = in_cksum(m, ip->ip_hl << 2); 347 } else { 348 ip = mtod(m, struct ip *); 349 } 350 prot = ip->ip_p; 351 352#ifdef notyet 353 /* IP-in-IP encapsulation */ 354 if (prot == IPPROTO_IPIP) { 355 struct ip ipn; 356 357 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { |
360 IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, 361 V_ahstat.ahs_hdrops, 362 V_ipcompstat.ipcomps_hdrops); | 358 IPSEC_ISTAT(sproto, hdrops); |
363 error = EINVAL; 364 goto bad; 365 } 366 /* ipn will now contain the inner IPv4 header */ 367 m_copydata(m, ip->ip_hl << 2, sizeof(struct ip), 368 (caddr_t) &ipn); 369 370 /* XXX PROXY address isn't recorded in SAH */ --- 12 unchanged lines hidden (view full) --- 383 DPRINTF(("%s: inner source address %s doesn't " 384 "correspond to expected proxy source %s, " 385 "SA %s/%08lx\n", __func__, 386 inet_ntoa4(ipn.ip_src), 387 ipsp_address(saidx->proxy), 388 ipsp_address(saidx->dst), 389 (u_long) ntohl(sav->spi))); 390 | 359 error = EINVAL; 360 goto bad; 361 } 362 /* ipn will now contain the inner IPv4 header */ 363 m_copydata(m, ip->ip_hl << 2, sizeof(struct ip), 364 (caddr_t) &ipn); 365 366 /* XXX PROXY address isn't recorded in SAH */ --- 12 unchanged lines hidden (view full) --- 379 DPRINTF(("%s: inner source address %s doesn't " 380 "correspond to expected proxy source %s, " 381 "SA %s/%08lx\n", __func__, 382 inet_ntoa4(ipn.ip_src), 383 ipsp_address(saidx->proxy), 384 ipsp_address(saidx->dst), 385 (u_long) ntohl(sav->spi))); 386 |
391 IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, 392 V_ahstat.ahs_pdrops, 393 V_ipcompstat.ipcomps_pdrops); | 387 IPSEC_ISTAT(sproto, pdrops); |
394 error = EACCES; 395 goto bad; 396 } 397 } 398#ifdef INET6 399 /* IPv6-in-IP encapsulation. */ 400 if (prot == IPPROTO_IPV6) { 401 struct ip6_hdr ip6n; 402 403 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { | 388 error = EACCES; 389 goto bad; 390 } 391 } 392#ifdef INET6 393 /* IPv6-in-IP encapsulation. */ 394 if (prot == IPPROTO_IPV6) { 395 struct ip6_hdr ip6n; 396 397 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { |
404 IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, 405 V_ahstat.ahs_hdrops, 406 V_ipcompstat.ipcomps_hdrops); | 398 IPSEC_ISTAT(sproto, hdrops); |
407 error = EINVAL; 408 goto bad; 409 } 410 /* ip6n will now contain the inner IPv6 header. */ 411 m_copydata(m, ip->ip_hl << 2, sizeof(struct ip6_hdr), 412 (caddr_t) &ip6n); 413 414 /* --- 10 unchanged lines hidden (view full) --- 425 DPRINTF(("%s: inner source address %s doesn't " 426 "correspond to expected proxy source %s, " 427 "SA %s/%08lx\n", __func__, 428 ip6_sprintf(ip6buf, &ip6n.ip6_src), 429 ipsec_address(&saidx->proxy), 430 ipsec_address(&saidx->dst), 431 (u_long) ntohl(sav->spi))); 432 | 399 error = EINVAL; 400 goto bad; 401 } 402 /* ip6n will now contain the inner IPv6 header. */ 403 m_copydata(m, ip->ip_hl << 2, sizeof(struct ip6_hdr), 404 (caddr_t) &ip6n); 405 406 /* --- 10 unchanged lines hidden (view full) --- 417 DPRINTF(("%s: inner source address %s doesn't " 418 "correspond to expected proxy source %s, " 419 "SA %s/%08lx\n", __func__, 420 ip6_sprintf(ip6buf, &ip6n.ip6_src), 421 ipsec_address(&saidx->proxy), 422 ipsec_address(&saidx->dst), 423 (u_long) ntohl(sav->spi))); 424 |
433 IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, 434 V_ahstat.ahs_pdrops, 435 V_ipcompstat.ipcomps_pdrops); | 425 IPSEC_ISTAT(sproto, pdrops); |
436 error = EACCES; 437 goto bad; 438 } 439 } 440#endif /* INET6 */ 441#endif /*XXX*/ 442 443 /* --- 4 unchanged lines hidden (view full) --- 448 * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to 449 * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type. 450 */ 451 if (mt == NULL && sproto != IPPROTO_IPCOMP) { 452 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 453 sizeof(struct tdb_ident), M_NOWAIT); 454 if (mtag == NULL) { 455 DPRINTF(("%s: failed to get tag\n", __func__)); | 426 error = EACCES; 427 goto bad; 428 } 429 } 430#endif /* INET6 */ 431#endif /*XXX*/ 432 433 /* --- 4 unchanged lines hidden (view full) --- 438 * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to 439 * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type. 440 */ 441 if (mt == NULL && sproto != IPPROTO_IPCOMP) { 442 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 443 sizeof(struct tdb_ident), M_NOWAIT); 444 if (mtag == NULL) { 445 DPRINTF(("%s: failed to get tag\n", __func__)); |
456 IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, 457 V_ahstat.ahs_hdrops, V_ipcompstat.ipcomps_hdrops); | 446 IPSEC_ISTAT(sproto, hdrops); |
458 error = ENOMEM; 459 goto bad; 460 } 461 462 tdbi = (struct tdb_ident *)(mtag + 1); 463 bcopy(&saidx->dst, &tdbi->dst, saidx->dst.sa.sa_len); 464 tdbi->proto = sproto; 465 tdbi->spi = sav->spi; --- 23 unchanged lines hidden (view full) --- 489 if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0) 490 return (error); 491#endif 492 493 /* 494 * Re-dispatch via software interrupt. 495 */ 496 if ((error = netisr_queue_src(NETISR_IP, (uintptr_t)sav->spi, m))) { | 447 error = ENOMEM; 448 goto bad; 449 } 450 451 tdbi = (struct tdb_ident *)(mtag + 1); 452 bcopy(&saidx->dst, &tdbi->dst, saidx->dst.sa.sa_len); 453 tdbi->proto = sproto; 454 tdbi->spi = sav->spi; --- 23 unchanged lines hidden (view full) --- 478 if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0) 479 return (error); 480#endif 481 482 /* 483 * Re-dispatch via software interrupt. 484 */ 485 if ((error = netisr_queue_src(NETISR_IP, (uintptr_t)sav->spi, m))) { |
497 IPSEC_ISTAT(sproto, V_espstat.esps_qfull, V_ahstat.ahs_qfull, 498 V_ipcompstat.ipcomps_qfull); 499 | 486 IPSEC_ISTAT(sproto, qfull); |
500 DPRINTF(("%s: queue full; proto %u packet dropped\n", 501 __func__, sproto)); 502 return error; 503 } 504 return 0; 505bad: 506 m_freem(m); 507 return error; --- 35 unchanged lines hidden (view full) --- 543 l = (ip6e.ip6e_len + 1) << 3; 544 IPSEC_ASSERT(l > 0, ("l went zero or negative")); 545 } while (protoff + l < *offp); 546 547 /* Malformed packet check */ 548 if (protoff + l != *offp) { 549 DPRINTF(("%s: bad packet header chain, protoff %u, " 550 "l %u, off %u\n", __func__, protoff, l, *offp)); | 487 DPRINTF(("%s: queue full; proto %u packet dropped\n", 488 __func__, sproto)); 489 return error; 490 } 491 return 0; 492bad: 493 m_freem(m); 494 return error; --- 35 unchanged lines hidden (view full) --- 530 l = (ip6e.ip6e_len + 1) << 3; 531 IPSEC_ASSERT(l > 0, ("l went zero or negative")); 532 } while (protoff + l < *offp); 533 534 /* Malformed packet check */ 535 if (protoff + l != *offp) { 536 DPRINTF(("%s: bad packet header chain, protoff %u, " 537 "l %u, off %u\n", __func__, protoff, l, *offp)); |
551 IPSEC_ISTAT(proto, V_espstat.esps_hdrops, 552 V_ahstat.ahs_hdrops, 553 V_ipcompstat.ipcomps_hdrops); | 538 IPSEC_ISTAT(proto, hdrops); |
554 m_freem(*mp); 555 *mp = NULL; 556 return IPPROTO_DONE; 557 } 558 protoff += offsetof(struct ip6_ext, ip6e_nxt); 559 } 560 (void) ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto); 561 return IPPROTO_DONE; --- 28 unchanged lines hidden (view full) --- 590 sproto = saidx->proto; 591 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 592 sproto == IPPROTO_IPCOMP, 593 ("unexpected security protocol %u", sproto)); 594 595 /* Sanity check */ 596 if (m == NULL) { 597 DPRINTF(("%s: null mbuf", __func__)); | 539 m_freem(*mp); 540 *mp = NULL; 541 return IPPROTO_DONE; 542 } 543 protoff += offsetof(struct ip6_ext, ip6e_nxt); 544 } 545 (void) ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto); 546 return IPPROTO_DONE; --- 28 unchanged lines hidden (view full) --- 575 sproto = saidx->proto; 576 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 577 sproto == IPPROTO_IPCOMP, 578 ("unexpected security protocol %u", sproto)); 579 580 /* Sanity check */ 581 if (m == NULL) { 582 DPRINTF(("%s: null mbuf", __func__)); |
598 IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr, 599 V_ipcompstat.ipcomps_badkcr); | 583 IPSEC_ISTAT(sproto, badkcr); |
600 error = EINVAL; 601 goto bad; 602 } 603 604 /* Fix IPv6 header */ 605 if (m->m_len < sizeof(struct ip6_hdr) && 606 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 607 608 DPRINTF(("%s: processing failed for SA %s/%08lx\n", 609 __func__, ipsec_address(&sav->sah->saidx.dst), 610 (u_long) ntohl(sav->spi))); 611 | 584 error = EINVAL; 585 goto bad; 586 } 587 588 /* Fix IPv6 header */ 589 if (m->m_len < sizeof(struct ip6_hdr) && 590 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 591 592 DPRINTF(("%s: processing failed for SA %s/%08lx\n", 593 __func__, ipsec_address(&sav->sah->saidx.dst), 594 (u_long) ntohl(sav->spi))); 595 |
612 IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, 613 V_ipcompstat.ipcomps_hdrops); | 596 IPSEC_ISTAT(sproto, hdrops); |
614 error = EACCES; 615 goto bad; 616 } 617 618 ip6 = mtod(m, struct ip6_hdr *); 619 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr)); 620 621 /* Save protocol */ 622 m_copydata(m, protoff, 1, (unsigned char *) &prot); 623 624#ifdef notyet 625#ifdef INET 626 /* IP-in-IP encapsulation */ 627 if (prot == IPPROTO_IPIP) { 628 struct ip ipn; 629 630 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { | 597 error = EACCES; 598 goto bad; 599 } 600 601 ip6 = mtod(m, struct ip6_hdr *); 602 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr)); 603 604 /* Save protocol */ 605 m_copydata(m, protoff, 1, (unsigned char *) &prot); 606 607#ifdef notyet 608#ifdef INET 609 /* IP-in-IP encapsulation */ 610 if (prot == IPPROTO_IPIP) { 611 struct ip ipn; 612 613 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { |
631 IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, 632 V_ahstat.ahs_hdrops, 633 V_ipcompstat.ipcomps_hdrops); | 614 IPSEC_ISTAT(sproto, hdrops); |
634 error = EINVAL; 635 goto bad; 636 } 637 /* ipn will now contain the inner IPv4 header */ 638 m_copydata(m, skip, sizeof(struct ip), (caddr_t) &ipn); 639 640 /* 641 * Check that the inner source address is the same as --- 8 unchanged lines hidden (view full) --- 650 DPRINTF(("%s: inner source address %s doesn't " 651 "correspond to expected proxy source %s, " 652 "SA %s/%08lx\n", __func__, 653 inet_ntoa4(ipn.ip_src), 654 ipsec_address(&saidx->proxy), 655 ipsec_address(&saidx->dst), 656 (u_long) ntohl(sav->spi))); 657 | 615 error = EINVAL; 616 goto bad; 617 } 618 /* ipn will now contain the inner IPv4 header */ 619 m_copydata(m, skip, sizeof(struct ip), (caddr_t) &ipn); 620 621 /* 622 * Check that the inner source address is the same as --- 8 unchanged lines hidden (view full) --- 631 DPRINTF(("%s: inner source address %s doesn't " 632 "correspond to expected proxy source %s, " 633 "SA %s/%08lx\n", __func__, 634 inet_ntoa4(ipn.ip_src), 635 ipsec_address(&saidx->proxy), 636 ipsec_address(&saidx->dst), 637 (u_long) ntohl(sav->spi))); 638 |
658 IPSEC_ISTATsproto, (V_espstat.esps_pdrops, 659 V_ahstat.ahs_pdrops, V_ipcompstat.ipcomps_pdrops); | 639 IPSEC_ISTAT(sproto, pdrops); |
660 error = EACCES; 661 goto bad; 662 } 663 } 664#endif /* INET */ 665 666 /* IPv6-in-IP encapsulation */ 667 if (prot == IPPROTO_IPV6) { 668 struct ip6_hdr ip6n; 669 670 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { | 640 error = EACCES; 641 goto bad; 642 } 643 } 644#endif /* INET */ 645 646 /* IPv6-in-IP encapsulation */ 647 if (prot == IPPROTO_IPV6) { 648 struct ip6_hdr ip6n; 649 650 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { |
671 IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, 672 V_ahstat.ahs_hdrops, 673 V_ipcompstat.ipcomps_hdrops); | 651 IPSEC_ISTAT(sproto, hdrops); |
674 error = EINVAL; 675 goto bad; 676 } 677 /* ip6n will now contain the inner IPv6 header. */ 678 m_copydata(m, skip, sizeof(struct ip6_hdr), 679 (caddr_t) &ip6n); 680 681 /* --- 10 unchanged lines hidden (view full) --- 692 DPRINTF(("%s: inner source address %s doesn't " 693 "correspond to expected proxy source %s, " 694 "SA %s/%08lx\n", __func__, 695 ip6_sprintf(ip6buf, &ip6n.ip6_src), 696 ipsec_address(&saidx->proxy), 697 ipsec_address(&saidx->dst), 698 (u_long) ntohl(sav->spi))); 699 | 652 error = EINVAL; 653 goto bad; 654 } 655 /* ip6n will now contain the inner IPv6 header. */ 656 m_copydata(m, skip, sizeof(struct ip6_hdr), 657 (caddr_t) &ip6n); 658 659 /* --- 10 unchanged lines hidden (view full) --- 670 DPRINTF(("%s: inner source address %s doesn't " 671 "correspond to expected proxy source %s, " 672 "SA %s/%08lx\n", __func__, 673 ip6_sprintf(ip6buf, &ip6n.ip6_src), 674 ipsec_address(&saidx->proxy), 675 ipsec_address(&saidx->dst), 676 (u_long) ntohl(sav->spi))); 677 |
700 IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, 701 V_ahstat.ahs_pdrops, V_ipcompstat.ipcomps_pdrops); | 678 IPSEC_ISTAT(sproto, pdrops); |
702 error = EACCES; 703 goto bad; 704 } 705 } 706#endif /*XXX*/ 707 708 /* 709 * Record what we've done to the packet (under what SA it was 710 * processed). If we've been passed an mtag, it means the packet 711 * was already processed by an ethernet/crypto combo card and 712 * thus has a tag attached with all the right information, but 713 * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to 714 * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type. 715 */ 716 if (mt == NULL && sproto != IPPROTO_IPCOMP) { 717 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 718 sizeof(struct tdb_ident), M_NOWAIT); 719 if (mtag == NULL) { 720 DPRINTF(("%s: failed to get tag\n", __func__)); | 679 error = EACCES; 680 goto bad; 681 } 682 } 683#endif /*XXX*/ 684 685 /* 686 * Record what we've done to the packet (under what SA it was 687 * processed). If we've been passed an mtag, it means the packet 688 * was already processed by an ethernet/crypto combo card and 689 * thus has a tag attached with all the right information, but 690 * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to 691 * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type. 692 */ 693 if (mt == NULL && sproto != IPPROTO_IPCOMP) { 694 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 695 sizeof(struct tdb_ident), M_NOWAIT); 696 if (mtag == NULL) { 697 DPRINTF(("%s: failed to get tag\n", __func__)); |
721 IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, 722 V_ahstat.ahs_hdrops, V_ipcompstat.ipcomps_hdrops); | 698 IPSEC_ISTAT(sproto, hdrops); |
723 error = ENOMEM; 724 goto bad; 725 } 726 727 tdbi = (struct tdb_ident *)(mtag + 1); 728 bcopy(&saidx->dst, &tdbi->dst, sizeof(union sockaddr_union)); 729 tdbi->proto = sproto; 730 tdbi->spi = sav->spi; --- 163 unchanged lines hidden --- | 699 error = ENOMEM; 700 goto bad; 701 } 702 703 tdbi = (struct tdb_ident *)(mtag + 1); 704 bcopy(&saidx->dst, &tdbi->dst, sizeof(union sockaddr_union)); 705 tdbi->proto = sproto; 706 tdbi->spi = sav->spi; --- 163 unchanged lines hidden --- |