Deleted Added
sdiff udiff text old ( 118888 ) new ( 119643 )
full compact
1/* $FreeBSD: head/sys/netipsec/ipsec_input.c 118888 2003-08-13 22:36:24Z sam $ */
1/* $FreeBSD: head/sys/netipsec/ipsec_input.c 119643 2003-09-01 05:35:55Z sam $ */
2/* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */
3/*
4 * The authors of this code are John Ioannidis (ji@tla.org),
5 * Angelos D. Keromytis (kermit@csd.uch.gr) and
6 * Niels Provos (provos@physnet.uni-hamburg.de).
7 *
8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
9 * in November 1995.
10 *
11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12 * by Angelos D. Keromytis.
13 *
14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15 * and Niels Provos.
16 *
17 * Additional features in 1999 by Angelos D. Keromytis.
18 *
19 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
20 * Angelos D. Keromytis and Niels Provos.
21 * Copyright (c) 2001, Angelos D. Keromytis.
22 *
23 * Permission to use, copy, and modify this software with or without fee
24 * is hereby granted, provided that this entire notice is included in
25 * all copies of any software which is or includes a copy or
26 * modification of this software.
27 * You may use this code under the GNU public license if you so wish. Please
28 * contribute changes back to the authors under this freer than GPL license
29 * so that we may further the use of strong encryption without limitations to
30 * all.
31 *
32 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
33 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
34 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
35 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
36 * PURPOSE.
37 */
38
39/*
40 * IPsec input processing.
41 */
42
43#include "opt_inet.h"
44#include "opt_inet6.h"
45#include "opt_ipsec.h"
46
47#include <sys/param.h>
48#include <sys/systm.h>
49#include <sys/malloc.h>
50#include <sys/mbuf.h>
51#include <sys/domain.h>
52#include <sys/protosw.h>
53#include <sys/socket.h>
54#include <sys/errno.h>
55#include <sys/syslog.h>
56
57#include <net/if.h>
58#include <net/route.h>
59#include <net/netisr.h>
60
61#include <netinet/in.h>
62#include <netinet/in_systm.h>
63#include <netinet/ip.h>
64#include <netinet/ip_var.h>
65#include <netinet/in_var.h>
66
67#include <netinet/ip6.h>
68#ifdef INET6
69#include <netinet6/ip6_var.h>
70#endif
71#include <netinet/in_pcb.h>
72#ifdef INET6
73#include <netinet/icmp6.h>
74#endif
75
76#include <netipsec/ipsec.h>
77#ifdef INET6
78#include <netipsec/ipsec6.h>
79#endif
80#include <netipsec/ah_var.h>
81#include <netipsec/esp.h>
82#include <netipsec/esp_var.h>
83#include <netipsec/ipcomp_var.h>
84
85#include <netipsec/key.h>
86#include <netipsec/keydb.h>
87
88#include <netipsec/xform.h>
89#include <netinet6/ip6protosw.h>
90
91#include <machine/in_cksum.h>
92#include <machine/stdarg.h>
93
94#include <net/net_osdep.h>
95
96#define IPSEC_ISTAT(p,x,y,z) ((p) == IPPROTO_ESP ? (x)++ : \
97 (p) == IPPROTO_AH ? (y)++ : (z)++)
98
99/*
100 * ipsec_common_input gets called when an IPsec-protected packet
101 * is received by IPv4 or IPv6. It's job is to find the right SA
102 # and call the appropriate transform. The transform callback
103 * takes care of further processing (like ingress filtering).
104 */
105static int
106ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
107{
108 union sockaddr_union dst_address;
109 struct secasvar *sav;
110 u_int32_t spi;
111 int s, error;
111 int error;
112
113 IPSEC_ISTAT(sproto, espstat.esps_input, ahstat.ahs_input,
114 ipcompstat.ipcomps_input);
115
116 KASSERT(m != NULL, ("ipsec_common_input: null packet"));
117
118 if ((sproto == IPPROTO_ESP && !esp_enable) ||
119 (sproto == IPPROTO_AH && !ah_enable) ||
120 (sproto == IPPROTO_IPCOMP && !ipcomp_enable)) {
121 m_freem(m);
122 IPSEC_ISTAT(sproto, espstat.esps_pdrops, ahstat.ahs_pdrops,
123 ipcompstat.ipcomps_pdrops);
124 return EOPNOTSUPP;
125 }
126
127 if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) {
128 m_freem(m);
129 IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops,
130 ipcompstat.ipcomps_hdrops);
131 DPRINTF(("ipsec_common_input: packet too small\n"));
132 return EINVAL;
133 }
134
135 /* Retrieve the SPI from the relevant IPsec header */
136 if (sproto == IPPROTO_ESP)
137 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi);
138 else if (sproto == IPPROTO_AH)
139 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t),
140 (caddr_t) &spi);
141 else if (sproto == IPPROTO_IPCOMP) {
142 u_int16_t cpi;
143 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t),
144 (caddr_t) &cpi);
145 spi = ntohl(htons(cpi));
146 }
147
148 /*
149 * Find the SA and (indirectly) call the appropriate
150 * kernel crypto routine. The resulting mbuf chain is a valid
151 * IP packet ready to go through input processing.
152 */
153 bzero(&dst_address, sizeof (dst_address));
154 dst_address.sa.sa_family = af;
155 switch (af) {
156#ifdef INET
157 case AF_INET:
158 dst_address.sin.sin_len = sizeof(struct sockaddr_in);
159 m_copydata(m, offsetof(struct ip, ip_dst),
160 sizeof(struct in_addr),
161 (caddr_t) &dst_address.sin.sin_addr);
162 break;
163#endif /* INET */
164#ifdef INET6
165 case AF_INET6:
166 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6);
167 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst),
168 sizeof(struct in6_addr),
169 (caddr_t) &dst_address.sin6.sin6_addr);
170 break;
171#endif /* INET6 */
172 default:
173 DPRINTF(("ipsec_common_input: unsupported protocol "
174 "family %u\n", af));
175 m_freem(m);
176 IPSEC_ISTAT(sproto, espstat.esps_nopf, ahstat.ahs_nopf,
177 ipcompstat.ipcomps_nopf);
178 return EPFNOSUPPORT;
179 }
180
181 s = splnet();
182
181 /* NB: only pass dst since key_allocsa follows RFC2401 */
182 sav = KEY_ALLOCSA(&dst_address, sproto, spi);
183 if (sav == NULL) {
184 DPRINTF(("ipsec_common_input: no key association found for"
185 " SA %s/%08lx/%u\n",
186 ipsec_address(&dst_address),
187 (u_long) ntohl(spi), sproto));
188 IPSEC_ISTAT(sproto, espstat.esps_notdb, ahstat.ahs_notdb,
189 ipcompstat.ipcomps_notdb);
192 splx(s);
190 m_freem(m);
191 return ENOENT;
192 }
193
194 if (sav->tdb_xform == NULL) {
195 DPRINTF(("ipsec_common_input: attempted to use uninitialized"
196 " SA %s/%08lx/%u\n",
197 ipsec_address(&dst_address),
198 (u_long) ntohl(spi), sproto));
199 IPSEC_ISTAT(sproto, espstat.esps_noxform, ahstat.ahs_noxform,
200 ipcompstat.ipcomps_noxform);
201 KEY_FREESAV(&sav);
205 splx(s);
202 m_freem(m);
203 return ENXIO;
204 }
205
206 /*
207 * Call appropriate transform and return -- callback takes care of
208 * everything else.
209 */
210 error = (*sav->tdb_xform->xf_input)(m, sav, skip, protoff);
211 KEY_FREESAV(&sav);
216 splx(s);
212 return error;
213}
214
215#ifdef INET
216/*
217 * Common input handler for IPv4 AH, ESP, and IPCOMP.
218 */
219int
220ipsec4_common_input(struct mbuf *m, ...)
221{
222 va_list ap;
223 int off, nxt;
224
225 va_start(ap, m);
226 off = va_arg(ap, int);
227 nxt = va_arg(ap, int);
228 va_end(ap);
229
230 return ipsec_common_input(m, off, offsetof(struct ip, ip_p),
231 AF_INET, nxt);
232}
233
234void
235ah4_input(struct mbuf *m, int off)
236{
237 ipsec4_common_input(m, off, IPPROTO_AH);
238}
239
240void
241esp4_input(struct mbuf *m, int off)
242{
243 ipsec4_common_input(m, off, IPPROTO_ESP);
244}
245
246void
247ipcomp4_input(struct mbuf *m, int off)
248{
249 ipsec4_common_input(m, off, IPPROTO_IPCOMP);
250}
251
252/*
253 * IPsec input callback for INET protocols.
254 * This routine is called as the transform callback.
255 * Takes care of filtering and other sanity checks on
256 * the processed packet.
257 */
258int
259ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
260 int skip, int protoff, struct m_tag *mt)
261{
262 int prot, af, sproto;
263 struct ip *ip;
264 struct m_tag *mtag;
265 struct tdb_ident *tdbi;
266 struct secasindex *saidx;
267 int error;
268
269#if 0
270 SPLASSERT(net, "ipsec4_common_input_cb");
271#endif
272
273 KASSERT(m != NULL, ("ipsec4_common_input_cb: null mbuf"));
274 KASSERT(sav != NULL, ("ipsec4_common_input_cb: null SA"));
275 KASSERT(sav->sah != NULL, ("ipsec4_common_input_cb: null SAH"));
276 saidx = &sav->sah->saidx;
277 af = saidx->dst.sa.sa_family;
278 KASSERT(af == AF_INET, ("ipsec4_common_input_cb: unexpected af %u",af));
279 sproto = saidx->proto;
280 KASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
281 sproto == IPPROTO_IPCOMP,
282 ("ipsec4_common_input_cb: unexpected security protocol %u",
283 sproto));
284
285 /* Sanity check */
286 if (m == NULL) {
287 DPRINTF(("ipsec4_common_input_cb: null mbuf"));
288 IPSEC_ISTAT(sproto, espstat.esps_badkcr, ahstat.ahs_badkcr,
289 ipcompstat.ipcomps_badkcr);
290 KEY_FREESAV(&sav);
291 return EINVAL;
292 }
293
294 if (skip != 0) {
295 /* Fix IPv4 header */
296 if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) {
297 DPRINTF(("ipsec4_common_input_cb: processing failed "
298 "for SA %s/%08lx\n",
299 ipsec_address(&sav->sah->saidx.dst),
300 (u_long) ntohl(sav->spi)));
301 IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops,
302 ipcompstat.ipcomps_hdrops);
303 error = ENOBUFS;
304 goto bad;
305 }
306
307 ip = mtod(m, struct ip *);
308 ip->ip_len = htons(m->m_pkthdr.len);
309 ip->ip_off = htons(ip->ip_off);
310 ip->ip_sum = 0;
311 ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
312 } else {
313 ip = mtod(m, struct ip *);
314 }
315 prot = ip->ip_p;
316
317 /* IP-in-IP encapsulation */
318 if (prot == IPPROTO_IPIP) {
319 struct ip ipn;
320
321 if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
322 IPSEC_ISTAT(sproto, espstat.esps_hdrops,
323 ahstat.ahs_hdrops,
324 ipcompstat.ipcomps_hdrops);
325 error = EINVAL;
326 goto bad;
327 }
328 /* ipn will now contain the inner IPv4 header */
329 m_copydata(m, ip->ip_hl << 2, sizeof(struct ip),
330 (caddr_t) &ipn);
331
332#ifdef notyet
333 /* XXX PROXY address isn't recorded in SAH */
334 /*
335 * Check that the inner source address is the same as
336 * the proxy address, if available.
337 */
338 if ((saidx->proxy.sa.sa_family == AF_INET &&
339 saidx->proxy.sin.sin_addr.s_addr !=
340 INADDR_ANY &&
341 ipn.ip_src.s_addr !=
342 saidx->proxy.sin.sin_addr.s_addr) ||
343 (saidx->proxy.sa.sa_family != AF_INET &&
344 saidx->proxy.sa.sa_family != 0)) {
345
346 DPRINTF(("ipsec4_common_input_cb: inner "
347 "source address %s doesn't correspond to "
348 "expected proxy source %s, SA %s/%08lx\n",
349 inet_ntoa4(ipn.ip_src),
350 ipsp_address(saidx->proxy),
351 ipsp_address(saidx->dst),
352 (u_long) ntohl(sav->spi)));
353
354 IPSEC_ISTAT(sproto, espstat.esps_pdrops,
355 ahstat.ahs_pdrops,
356 ipcompstat.ipcomps_pdrops);
357 error = EACCES;
358 goto bad;
359 }
360#endif /*XXX*/
361 }
362#if INET6
363 /* IPv6-in-IP encapsulation. */
364 if (prot == IPPROTO_IPV6) {
365 struct ip6_hdr ip6n;
366
367 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
368 IPSEC_ISTAT(sproto, espstat.esps_hdrops,
369 ahstat.ahs_hdrops,
370 ipcompstat.ipcomps_hdrops);
371 error = EINVAL;
372 goto bad;
373 }
374 /* ip6n will now contain the inner IPv6 header. */
375 m_copydata(m, ip->ip_hl << 2, sizeof(struct ip6_hdr),
376 (caddr_t) &ip6n);
377
378#ifdef notyet
379 /*
380 * Check that the inner source address is the same as
381 * the proxy address, if available.
382 */
383 if ((saidx->proxy.sa.sa_family == AF_INET6 &&
384 !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) &&
385 !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src,
386 &saidx->proxy.sin6.sin6_addr)) ||
387 (saidx->proxy.sa.sa_family != AF_INET6 &&
388 saidx->proxy.sa.sa_family != 0)) {
389
390 DPRINTF(("ipsec4_common_input_cb: inner "
391 "source address %s doesn't correspond to "
392 "expected proxy source %s, SA %s/%08lx\n",
393 ip6_sprintf(&ip6n.ip6_src),
394 ipsec_address(&saidx->proxy),
395 ipsec_address(&saidx->dst),
396 (u_long) ntohl(sav->spi)));
397
398 IPSEC_ISTAT(sproto, espstat.esps_pdrops,
399 ahstat.ahs_pdrops,
400 ipcompstat.ipcomps_pdrops);
401 error = EACCES;
402 goto bad;
403 }
404#endif /*XXX*/
405 }
406#endif /* INET6 */
407
408 /*
409 * Record what we've done to the packet (under what SA it was
410 * processed). If we've been passed an mtag, it means the packet
411 * was already processed by an ethernet/crypto combo card and
412 * thus has a tag attached with all the right information, but
413 * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to
414 * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type.
415 */
416 if (mt == NULL && sproto != IPPROTO_IPCOMP) {
417 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
418 sizeof(struct tdb_ident), M_NOWAIT);
419 if (mtag == NULL) {
420 DPRINTF(("ipsec4_common_input_cb: failed to get tag\n"));
421 IPSEC_ISTAT(sproto, espstat.esps_hdrops,
422 ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops);
423 error = ENOMEM;
424 goto bad;
425 }
426
427 tdbi = (struct tdb_ident *)(mtag + 1);
428 bcopy(&saidx->dst, &tdbi->dst, saidx->dst.sa.sa_len);
429 tdbi->proto = sproto;
430 tdbi->spi = sav->spi;
431
432 m_tag_prepend(m, mtag);
433 } else {
434 mt->m_tag_id = PACKET_TAG_IPSEC_IN_DONE;
435 /* XXX do we need to mark m_flags??? */
436 }
437
438 key_sa_recordxfer(sav, m); /* record data transfer */
439
440 /*
441 * Re-dispatch via software interrupt.
442 */
443 if (!netisr_queue(NETISR_IP, m)) {
444 IPSEC_ISTAT(sproto, espstat.esps_qfull, ahstat.ahs_qfull,
445 ipcompstat.ipcomps_qfull);
446
447 DPRINTF(("ipsec4_common_input_cb: queue full; "
448 "proto %u packet dropped\n", sproto));
449 return ENOBUFS;
450 }
451 return 0;
452bad:
453 m_freem(m);
454 return error;
455}
456#endif /* INET */
457
458#ifdef INET6
459/* IPv6 AH wrapper. */
460int
461ipsec6_common_input(struct mbuf **mp, int *offp, int proto)
462{
463 int l = 0;
464 int protoff;
465 struct ip6_ext ip6e;
466
467 if (*offp < sizeof(struct ip6_hdr)) {
468 DPRINTF(("ipsec6_common_input: bad offset %u\n", *offp));
469 return IPPROTO_DONE;
470 } else if (*offp == sizeof(struct ip6_hdr)) {
471 protoff = offsetof(struct ip6_hdr, ip6_nxt);
472 } else {
473 /* Chase down the header chain... */
474 protoff = sizeof(struct ip6_hdr);
475
476 do {
477 protoff += l;
478 m_copydata(*mp, protoff, sizeof(ip6e),
479 (caddr_t) &ip6e);
480
481 if (ip6e.ip6e_nxt == IPPROTO_AH)
482 l = (ip6e.ip6e_len + 2) << 2;
483 else
484 l = (ip6e.ip6e_len + 1) << 3;
485 KASSERT(l > 0, ("ah6_input: l went zero or negative"));
486 } while (protoff + l < *offp);
487
488 /* Malformed packet check */
489 if (protoff + l != *offp) {
490 DPRINTF(("ipsec6_common_input: bad packet header chain, "
491 "protoff %u, l %u, off %u\n", protoff, l, *offp));
492 IPSEC_ISTAT(proto, espstat.esps_hdrops,
493 ahstat.ahs_hdrops,
494 ipcompstat.ipcomps_hdrops);
495 m_freem(*mp);
496 *mp = NULL;
497 return IPPROTO_DONE;
498 }
499 protoff += offsetof(struct ip6_ext, ip6e_nxt);
500 }
501 (void) ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto);
502 return IPPROTO_DONE;
503}
504
505void
506esp6_ctlinput(int cmd, struct sockaddr *sa, void *d)
507{
508 if (sa->sa_family != AF_INET6 ||
509 sa->sa_len != sizeof(struct sockaddr_in6))
510 return;
511 if ((unsigned)cmd >= PRC_NCMDS)
512 return;
513
514 /* if the parameter is from icmp6, decode it. */
515 if (d != NULL) {
516 struct ip6ctlparam *ip6cp = (struct ip6ctlparam *)d;
517 struct mbuf *m = ip6cp->ip6c_m;
518 int off = ip6cp->ip6c_off;
519
520 struct ip6ctlparam ip6cp1;
521
522 /*
523 * Notify the error to all possible sockets via pfctlinput2.
524 * Since the upper layer information (such as protocol type,
525 * source and destination ports) is embedded in the encrypted
526 * data and might have been cut, we can't directly call
527 * an upper layer ctlinput function. However, the pcbnotify
528 * function will consider source and destination addresses
529 * as well as the flow info value, and may be able to find
530 * some PCB that should be notified.
531 * Although pfctlinput2 will call esp6_ctlinput(), there is
532 * no possibility of an infinite loop of function calls,
533 * because we don't pass the inner IPv6 header.
534 */
535 bzero(&ip6cp1, sizeof(ip6cp1));
536 ip6cp1.ip6c_src = ip6cp->ip6c_src;
537 pfctlinput2(cmd, sa, (void *)&ip6cp1);
538
539 /*
540 * Then go to special cases that need ESP header information.
541 * XXX: We assume that when ip6 is non NULL,
542 * M and OFF are valid.
543 */
544
545 if (cmd == PRC_MSGSIZE) {
546 struct secasvar *sav;
547 u_int32_t spi;
548 int valid;
549
550 /* check header length before using m_copydata */
551 if (m->m_pkthdr.len < off + sizeof (struct esp))
552 return;
553 m_copydata(m, off + offsetof(struct esp, esp_spi),
554 sizeof(u_int32_t), (caddr_t) &spi);
555 /*
556 * Check to see if we have a valid SA corresponding to
557 * the address in the ICMP message payload.
558 */
559 sav = KEY_ALLOCSA((union sockaddr_union *)sa,
560 IPPROTO_ESP, spi);
561 valid = (sav != NULL);
562 if (sav)
563 KEY_FREESAV(&sav);
564
565 /* XXX Further validation? */
566
567 /*
568 * Depending on whether the SA is "valid" and
569 * routing table size (mtudisc_{hi,lo}wat), we will:
570 * - recalcurate the new MTU and create the
571 * corresponding routing entry, or
572 * - ignore the MTU change notification.
573 */
574 icmp6_mtudisc_update(ip6cp, valid);
575 }
576 } else {
577 /* we normally notify any pcb here */
578 }
579}
580
581/*
582 * IPsec input callback, called by the transform callback. Takes care of
583 * filtering and other sanity checks on the processed packet.
584 */
585int
586ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff,
587 struct m_tag *mt)
588{
589 int prot, af, sproto;
590 struct ip6_hdr *ip6;
591 struct m_tag *mtag;
592 struct tdb_ident *tdbi;
593 struct secasindex *saidx;
594 int nxt;
595 u_int8_t nxt8;
596 int error, nest;
597
598 KASSERT(m != NULL, ("ipsec6_common_input_cb: null mbuf"));
599 KASSERT(sav != NULL, ("ipsec6_common_input_cb: null SA"));
600 KASSERT(sav->sah != NULL, ("ipsec6_common_input_cb: null SAH"));
601 saidx = &sav->sah->saidx;
602 af = saidx->dst.sa.sa_family;
603 KASSERT(af == AF_INET6,
604 ("ipsec6_common_input_cb: unexpected af %u", af));
605 sproto = saidx->proto;
606 KASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
607 sproto == IPPROTO_IPCOMP,
608 ("ipsec6_common_input_cb: unexpected security protocol %u",
609 sproto));
610
611 /* Sanity check */
612 if (m == NULL) {
613 DPRINTF(("ipsec4_common_input_cb: null mbuf"));
614 IPSEC_ISTAT(sproto, espstat.esps_badkcr, ahstat.ahs_badkcr,
615 ipcompstat.ipcomps_badkcr);
616 error = EINVAL;
617 goto bad;
618 }
619
620 /* Fix IPv6 header */
621 if (m->m_len < sizeof(struct ip6_hdr) &&
622 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
623
624 DPRINTF(("ipsec_common_input_cb: processing failed "
625 "for SA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst),
626 (u_long) ntohl(sav->spi)));
627
628 IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops,
629 ipcompstat.ipcomps_hdrops);
630 error = EACCES;
631 goto bad;
632 }
633
634 ip6 = mtod(m, struct ip6_hdr *);
635 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
636
637 /* Save protocol */
638 m_copydata(m, protoff, 1, (unsigned char *) &prot);
639
640#ifdef INET
641 /* IP-in-IP encapsulation */
642 if (prot == IPPROTO_IPIP) {
643 struct ip ipn;
644
645 if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
646 IPSEC_ISTAT(sproto, espstat.esps_hdrops,
647 ahstat.ahs_hdrops,
648 ipcompstat.ipcomps_hdrops);
649 error = EINVAL;
650 goto bad;
651 }
652 /* ipn will now contain the inner IPv4 header */
653 m_copydata(m, skip, sizeof(struct ip), (caddr_t) &ipn);
654
655#ifdef notyet
656 /*
657 * Check that the inner source address is the same as
658 * the proxy address, if available.
659 */
660 if ((saidx->proxy.sa.sa_family == AF_INET &&
661 saidx->proxy.sin.sin_addr.s_addr != INADDR_ANY &&
662 ipn.ip_src.s_addr != saidx->proxy.sin.sin_addr.s_addr) ||
663 (saidx->proxy.sa.sa_family != AF_INET &&
664 saidx->proxy.sa.sa_family != 0)) {
665
666 DPRINTF(("ipsec_common_input_cb: inner "
667 "source address %s doesn't correspond to "
668 "expected proxy source %s, SA %s/%08lx\n",
669 inet_ntoa4(ipn.ip_src),
670 ipsec_address(&saidx->proxy),
671 ipsec_address(&saidx->dst),
672 (u_long) ntohl(sav->spi)));
673
674 IPSEC_ISTATsproto, (espstat.esps_pdrops,
675 ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops);
676 error = EACCES;
677 goto bad;
678 }
679#endif /*XXX*/
680 }
681#endif /* INET */
682
683 /* IPv6-in-IP encapsulation */
684 if (prot == IPPROTO_IPV6) {
685 struct ip6_hdr ip6n;
686
687 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
688 IPSEC_ISTAT(sproto, espstat.esps_hdrops,
689 ahstat.ahs_hdrops,
690 ipcompstat.ipcomps_hdrops);
691 error = EINVAL;
692 goto bad;
693 }
694 /* ip6n will now contain the inner IPv6 header. */
695 m_copydata(m, skip, sizeof(struct ip6_hdr),
696 (caddr_t) &ip6n);
697
698#ifdef notyet
699 /*
700 * Check that the inner source address is the same as
701 * the proxy address, if available.
702 */
703 if ((saidx->proxy.sa.sa_family == AF_INET6 &&
704 !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) &&
705 !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src,
706 &saidx->proxy.sin6.sin6_addr)) ||
707 (saidx->proxy.sa.sa_family != AF_INET6 &&
708 saidx->proxy.sa.sa_family != 0)) {
709
710 DPRINTF(("ipsec_common_input_cb: inner "
711 "source address %s doesn't correspond to "
712 "expected proxy source %s, SA %s/%08lx\n",
713 ip6_sprintf(&ip6n.ip6_src),
714 ipsec_address(&saidx->proxy),
715 ipsec_address(&saidx->dst),
716 (u_long) ntohl(sav->spi)));
717
718 IPSEC_ISTAT(sproto, espstat.esps_pdrops,
719 ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops);
720 error = EACCES;
721 goto bad;
722 }
723#endif /*XXX*/
724 }
725
726 /*
727 * Record what we've done to the packet (under what SA it was
728 * processed). If we've been passed an mtag, it means the packet
729 * was already processed by an ethernet/crypto combo card and
730 * thus has a tag attached with all the right information, but
731 * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to
732 * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type.
733 */
734 if (mt == NULL && sproto != IPPROTO_IPCOMP) {
735 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
736 sizeof(struct tdb_ident), M_NOWAIT);
737 if (mtag == NULL) {
738 DPRINTF(("ipsec_common_input_cb: failed to "
739 "get tag\n"));
740 IPSEC_ISTAT(sproto, espstat.esps_hdrops,
741 ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops);
742 error = ENOMEM;
743 goto bad;
744 }
745
746 tdbi = (struct tdb_ident *)(mtag + 1);
747 bcopy(&saidx->dst, &tdbi->dst, sizeof(union sockaddr_union));
748 tdbi->proto = sproto;
749 tdbi->spi = sav->spi;
750
751 m_tag_prepend(m, mtag);
752 } else {
753 mt->m_tag_id = PACKET_TAG_IPSEC_IN_DONE;
754 /* XXX do we need to mark m_flags??? */
755 }
756
757 key_sa_recordxfer(sav, m);
758
759 /* Retrieve new protocol */
760 m_copydata(m, protoff, sizeof(u_int8_t), (caddr_t) &nxt8);
761
762 /*
763 * See the end of ip6_input for this logic.
764 * IPPROTO_IPV[46] case will be processed just like other ones
765 */
766 nest = 0;
767 nxt = nxt8;
768 while (nxt != IPPROTO_DONE) {
769 if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) {
770 ip6stat.ip6s_toomanyhdr++;
771 error = EINVAL;
772 goto bad;
773 }
774
775 /*
776 * Protection against faulty packet - there should be
777 * more sanity checks in header chain processing.
778 */
779 if (m->m_pkthdr.len < skip) {
780 ip6stat.ip6s_tooshort++;
781 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
782 error = EINVAL;
783 goto bad;
784 }
785 /*
786 * Enforce IPsec policy checking if we are seeing last header.
787 * note that we do not visit this with protocols with pcb layer
788 * code - like udp/tcp/raw ip.
789 */
790 if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
791 ipsec6_in_reject(m, NULL)) {
792 error = EINVAL;
793 goto bad;
794 }
795 nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &skip, nxt);
796 }
797 return 0;
798bad:
799 if (m)
800 m_freem(m);
801 return error;
802}
803#endif /* INET6 */