1 /* $OpenBSD: ipsec_input.c,v 1.174 2021/06/18 15:34:21 bluhm Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 8 * in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001, Angelos D. Keromytis. 21 * 22 * Permission to use, copy, and modify this software with or without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38 #include "pf.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/protosw.h> 43 #include <sys/mbuf.h> 44 #include <sys/socket.h> 45 #include <sys/sysctl.h> 46 #include <sys/kernel.h> 47 #include <sys/timeout.h> 48 49 #include <net/if.h> 50 #include <net/if_var.h> 51 #include <net/netisr.h> 52 #include <net/bpf.h> 53 #include <net/route.h> 54 55 #include <netinet/in.h> 56 #include <netinet/ip.h> 57 #include <netinet/ip_var.h> 58 #include <netinet/ip_icmp.h> 59 #include <netinet/tcp.h> 60 #include <netinet/udp.h> 61 62 #if NPF > 0 63 #include <net/pfvar.h> 64 #endif 65 66 #ifdef INET6 67 #include <netinet6/in6_var.h> 68 #include <netinet/ip6.h> 69 #include <netinet6/ip6_var.h> 70 #include <netinet6/ip6protosw.h> 71 #endif /* INET6 */ 72 73 #include <netinet/ip_ipsp.h> 74 #include <netinet/ip_esp.h> 75 #include <netinet/ip_ah.h> 76 #include <netinet/ip_ipcomp.h> 77 78 #include <net/if_enc.h> 79 80 #include <crypto/cryptodev.h> 81 #include <crypto/xform.h> 82 83 #include "bpfilter.h" 84 85 void ipsec_common_ctlinput(u_int, int, struct sockaddr *, void *, int); 86 87 #ifdef ENCDEBUG 88 #define DPRINTF(x) if (encdebug) printf x 89 #else 90 #define DPRINTF(x) 91 #endif 92 93 /* sysctl variables */ 94 int encdebug = 0; 95 int ipsec_keep_invalid = IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT; 96 int ipsec_require_pfs = IPSEC_DEFAULT_PFS; 97 int ipsec_soft_allocations = IPSEC_DEFAULT_SOFT_ALLOCATIONS; 98 int ipsec_exp_allocations = IPSEC_DEFAULT_EXP_ALLOCATIONS; 99 int ipsec_soft_bytes = IPSEC_DEFAULT_SOFT_BYTES; 100 int ipsec_exp_bytes = IPSEC_DEFAULT_EXP_BYTES; 101 int ipsec_soft_timeout = IPSEC_DEFAULT_SOFT_TIMEOUT; 102 int ipsec_exp_timeout = IPSEC_DEFAULT_EXP_TIMEOUT; 103 int ipsec_soft_first_use = IPSEC_DEFAULT_SOFT_FIRST_USE; 104 int ipsec_exp_first_use = IPSEC_DEFAULT_EXP_FIRST_USE; 105 int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE; 106 107 int esp_enable = 1; 108 int ah_enable = 1; 109 int ipcomp_enable = 0; 110 111 const struct sysctl_bounded_args espctl_vars[] = { 112 {ESPCTL_ENABLE, &esp_enable, 0, 1}, 113 {ESPCTL_UDPENCAP_ENABLE, &udpencap_enable, 0, 1}, 114 {ESPCTL_UDPENCAP_PORT, &udpencap_port, 0, 65535}, 115 }; 116 const struct sysctl_bounded_args ahctl_vars[] = { 117 {AHCTL_ENABLE, &ah_enable, 0, 1}, 118 }; 119 const struct sysctl_bounded_args ipcompctl_vars[] = { 120 {IPCOMPCTL_ENABLE, &ipcomp_enable, 0, 1}, 121 }; 122 123 struct cpumem *espcounters; 124 struct cpumem *ahcounters; 125 struct cpumem *ipcompcounters; 126 struct cpumem *ipseccounters; 127 128 char ipsec_def_enc[20]; 129 char ipsec_def_auth[20]; 130 char ipsec_def_comp[20]; 131 132 const struct sysctl_bounded_args ipsecctl_vars[] = { 133 { IPSEC_ENCDEBUG, &encdebug, 0, 1 }, 134 { IPSEC_EXPIRE_ACQUIRE, &ipsec_expire_acquire, 0, INT_MAX }, 135 { IPSEC_EMBRYONIC_SA_TIMEOUT, &ipsec_keep_invalid, 0, INT_MAX }, 136 { IPSEC_REQUIRE_PFS, &ipsec_require_pfs, 0, 1 }, 137 { IPSEC_SOFT_ALLOCATIONS, &ipsec_soft_allocations, 0, INT_MAX }, 138 { IPSEC_ALLOCATIONS, &ipsec_exp_allocations, 0, INT_MAX }, 139 { IPSEC_SOFT_BYTES, &ipsec_soft_bytes, 0, INT_MAX }, 140 { IPSEC_BYTES, &ipsec_exp_bytes, 0, INT_MAX }, 141 { IPSEC_TIMEOUT, &ipsec_exp_timeout, 0, INT_MAX }, 142 { IPSEC_SOFT_TIMEOUT, &ipsec_soft_timeout,0, INT_MAX }, 143 { IPSEC_SOFT_FIRSTUSE, &ipsec_soft_first_use, 0, INT_MAX }, 144 { IPSEC_FIRSTUSE, &ipsec_exp_first_use, 0, INT_MAX }, 145 }; 146 147 int esp_sysctl_espstat(void *, size_t *, void *); 148 int ah_sysctl_ahstat(void *, size_t *, void *); 149 int ipcomp_sysctl_ipcompstat(void *, size_t *, void *); 150 int ipsec_sysctl_ipsecstat(void *, size_t *, void *); 151 152 void 153 ipsec_init(void) 154 { 155 espcounters = counters_alloc(esps_ncounters); 156 ahcounters = counters_alloc(ahs_ncounters); 157 ipcompcounters = counters_alloc(ipcomps_ncounters); 158 ipseccounters = counters_alloc(ipsec_ncounters); 159 160 strlcpy(ipsec_def_enc, IPSEC_DEFAULT_DEF_ENC, sizeof(ipsec_def_enc)); 161 strlcpy(ipsec_def_auth, IPSEC_DEFAULT_DEF_AUTH, sizeof(ipsec_def_auth)); 162 strlcpy(ipsec_def_comp, IPSEC_DEFAULT_DEF_COMP, sizeof(ipsec_def_comp)); 163 164 } 165 166 /* 167 * ipsec_common_input() gets called when we receive an IPsec-protected packet 168 * in IPv4 or IPv6. All it does is find the right TDB and call the appropriate 169 * transform. The callback takes care of further processing (like ingress 170 * filtering). 171 */ 172 int 173 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, 174 int udpencap) 175 { 176 #define IPSEC_ISTAT(x,y,z) do { \ 177 if (sproto == IPPROTO_ESP) \ 178 espstat_inc(x); \ 179 else if (sproto == IPPROTO_AH) \ 180 ahstat_inc(y); \ 181 else \ 182 ipcompstat_inc(z); \ 183 } while (0) 184 185 union sockaddr_union dst_address; 186 struct tdb *tdbp = NULL; 187 struct ifnet *encif; 188 u_int32_t spi; 189 u_int16_t cpi; 190 int error; 191 #ifdef ENCDEBUG 192 char buf[INET6_ADDRSTRLEN]; 193 #endif 194 195 NET_ASSERT_LOCKED(); 196 197 ipsecstat_inc(ipsec_ipackets); 198 ipsecstat_add(ipsec_ibytes, m->m_pkthdr.len); 199 IPSEC_ISTAT(esps_input, ahs_input, ipcomps_input); 200 201 if (m == NULL) { 202 DPRINTF(("%s: NULL packet received\n", __func__)); 203 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 204 return EINVAL; 205 } 206 207 if ((sproto == IPPROTO_IPCOMP) && (m->m_flags & M_COMP)) { 208 DPRINTF(("%s: repeated decompression\n", __func__)); 209 ipcompstat_inc(ipcomps_pdrops); 210 error = EINVAL; 211 goto drop; 212 } 213 214 if (m->m_pkthdr.len - skip < 2 * sizeof(u_int32_t)) { 215 DPRINTF(("%s: packet too small\n", __func__)); 216 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 217 error = EINVAL; 218 goto drop; 219 } 220 221 /* Retrieve the SPI from the relevant IPsec header */ 222 switch (sproto) { 223 case IPPROTO_ESP: 224 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi); 225 break; 226 case IPPROTO_AH: 227 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 228 (caddr_t) &spi); 229 break; 230 case IPPROTO_IPCOMP: 231 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t), 232 (caddr_t) &cpi); 233 spi = ntohl(htons(cpi)); 234 break; 235 default: 236 panic("%s: unknown/unsupported security protocol %d", 237 __func__, sproto); 238 } 239 240 /* 241 * Find tunnel control block and (indirectly) call the appropriate 242 * kernel crypto routine. The resulting mbuf chain is a valid 243 * IP packet ready to go through input processing. 244 */ 245 246 memset(&dst_address, 0, sizeof(dst_address)); 247 dst_address.sa.sa_family = af; 248 249 switch (af) { 250 case AF_INET: 251 dst_address.sin.sin_len = sizeof(struct sockaddr_in); 252 m_copydata(m, offsetof(struct ip, ip_dst), 253 sizeof(struct in_addr), 254 (caddr_t) &(dst_address.sin.sin_addr)); 255 break; 256 257 #ifdef INET6 258 case AF_INET6: 259 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6); 260 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 261 sizeof(struct in6_addr), 262 (caddr_t) &(dst_address.sin6.sin6_addr)); 263 in6_recoverscope(&dst_address.sin6, 264 &dst_address.sin6.sin6_addr); 265 break; 266 #endif /* INET6 */ 267 268 default: 269 DPRINTF(("%s: unsupported protocol family %d\n", __func__, af)); 270 IPSEC_ISTAT(esps_nopf, ahs_nopf, ipcomps_nopf); 271 error = EPFNOSUPPORT; 272 goto drop; 273 } 274 275 tdbp = gettdb(rtable_l2(m->m_pkthdr.ph_rtableid), 276 spi, &dst_address, sproto); 277 if (tdbp == NULL) { 278 DPRINTF(("%s: could not find SA for packet to %s, spi %08x\n", 279 __func__, 280 ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi))); 281 IPSEC_ISTAT(esps_notdb, ahs_notdb, ipcomps_notdb); 282 error = ENOENT; 283 goto drop; 284 } 285 286 if (tdbp->tdb_flags & TDBF_INVALID) { 287 DPRINTF(("%s: attempted to use invalid SA %s/%08x/%u\n", 288 __func__, ipsp_address(&dst_address, buf, 289 sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); 290 IPSEC_ISTAT(esps_invalid, ahs_invalid, ipcomps_invalid); 291 error = EINVAL; 292 goto drop; 293 } 294 295 if (udpencap && !(tdbp->tdb_flags & TDBF_UDPENCAP)) { 296 DPRINTF(("%s: attempted to use non-udpencap SA %s/%08x/%u\n", 297 __func__, ipsp_address(&dst_address, buf, 298 sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); 299 espstat_inc(esps_udpinval); 300 error = EINVAL; 301 goto drop; 302 } 303 304 if (!udpencap && (tdbp->tdb_flags & TDBF_UDPENCAP)) { 305 DPRINTF(("%s: attempted to use udpencap SA %s/%08x/%u\n", 306 __func__, ipsp_address(&dst_address, buf, 307 sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); 308 espstat_inc(esps_udpneeded); 309 error = EINVAL; 310 goto drop; 311 } 312 313 if (tdbp->tdb_xform == NULL) { 314 DPRINTF(("%s: attempted to use uninitialized SA %s/%08x/%u\n", 315 __func__, ipsp_address(&dst_address, buf, 316 sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); 317 IPSEC_ISTAT(esps_noxform, ahs_noxform, ipcomps_noxform); 318 error = ENXIO; 319 goto drop; 320 } 321 322 if (sproto != IPPROTO_IPCOMP) { 323 if ((encif = enc_getif(tdbp->tdb_rdomain_post, 324 tdbp->tdb_tap)) == NULL) { 325 DPRINTF(("%s: no enc%u interface for SA %s/%08x/%u\n", 326 __func__, 327 tdbp->tdb_tap, ipsp_address(&dst_address, buf, 328 sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); 329 IPSEC_ISTAT(esps_pdrops, ahs_pdrops, ipcomps_pdrops); 330 error = EACCES; 331 goto drop; 332 } 333 334 /* XXX This conflicts with the scoped nature of IPv6 */ 335 m->m_pkthdr.ph_ifidx = encif->if_index; 336 } 337 338 /* Register first use, setup expiration timer. */ 339 if (tdbp->tdb_first_use == 0) { 340 tdbp->tdb_first_use = gettime(); 341 if (tdbp->tdb_flags & TDBF_FIRSTUSE) 342 timeout_add_sec(&tdbp->tdb_first_tmo, 343 tdbp->tdb_exp_first_use); 344 if (tdbp->tdb_flags & TDBF_SOFT_FIRSTUSE) 345 timeout_add_sec(&tdbp->tdb_sfirst_tmo, 346 tdbp->tdb_soft_first_use); 347 } 348 349 tdbp->tdb_ipackets++; 350 tdbp->tdb_ibytes += m->m_pkthdr.len; 351 352 /* 353 * Call appropriate transform and return -- callback takes care of 354 * everything else. 355 */ 356 error = (*(tdbp->tdb_xform->xf_input))(m, tdbp, skip, protoff); 357 if (error) { 358 ipsecstat_inc(ipsec_idrops); 359 tdbp->tdb_idrops++; 360 } 361 return error; 362 363 drop: 364 ipsecstat_inc(ipsec_idrops); 365 if (tdbp != NULL) 366 tdbp->tdb_idrops++; 367 m_freem(m); 368 return error; 369 } 370 371 void 372 ipsec_input_cb(struct cryptop *crp) 373 { 374 struct tdb_crypto *tc = (struct tdb_crypto *) crp->crp_opaque; 375 struct mbuf *m = (struct mbuf *) crp->crp_buf; 376 struct tdb *tdb = NULL; 377 int clen, error; 378 379 KERNEL_ASSERT_LOCKED(); 380 381 if (m == NULL) { 382 DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); 383 ipsecstat_inc(ipsec_crypto); 384 goto droponly; 385 } 386 387 388 NET_LOCK(); 389 tdb = gettdb(tc->tc_rdomain, tc->tc_spi, &tc->tc_dst, tc->tc_proto); 390 if (tdb == NULL) { 391 DPRINTF(("%s: TDB is expired while in crypto", __func__)); 392 ipsecstat_inc(ipsec_notdb); 393 goto baddone; 394 } 395 396 /* Check for crypto errors */ 397 if (crp->crp_etype) { 398 if (crp->crp_etype == EAGAIN) { 399 /* Reset the session ID */ 400 if (tdb->tdb_cryptoid != 0) 401 tdb->tdb_cryptoid = crp->crp_sid; 402 NET_UNLOCK(); 403 crypto_dispatch(crp); 404 return; 405 } 406 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); 407 ipsecstat_inc(ipsec_noxform); 408 goto baddone; 409 } 410 411 /* Length of data after processing */ 412 clen = crp->crp_olen; 413 414 /* Release the crypto descriptors */ 415 crypto_freereq(crp); 416 417 switch (tdb->tdb_sproto) { 418 case IPPROTO_ESP: 419 error = esp_input_cb(tdb, tc, m, clen); 420 break; 421 case IPPROTO_AH: 422 error = ah_input_cb(tdb, tc, m, clen); 423 break; 424 case IPPROTO_IPCOMP: 425 error = ipcomp_input_cb(tdb, tc, m, clen); 426 break; 427 default: 428 panic("%s: unknown/unsupported security protocol %d", 429 __func__, tdb->tdb_sproto); 430 } 431 432 NET_UNLOCK(); 433 if (error) { 434 ipsecstat_inc(ipsec_idrops); 435 tdb->tdb_idrops++; 436 } 437 return; 438 439 baddone: 440 NET_UNLOCK(); 441 droponly: 442 ipsecstat_inc(ipsec_idrops); 443 if (tdb != NULL) 444 tdb->tdb_idrops++; 445 free(tc, M_XDATA, 0); 446 m_freem(m); 447 crypto_freereq(crp); 448 } 449 450 /* 451 * IPsec input callback, called by the transform callback. Takes care of 452 * filtering and other sanity checks on the processed packet. 453 */ 454 int 455 ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff) 456 { 457 int af, sproto; 458 u_int8_t prot; 459 460 #if NBPFILTER > 0 461 struct ifnet *encif; 462 #endif 463 464 struct ip *ip, ipn; 465 466 #ifdef INET6 467 struct ip6_hdr *ip6, ip6n; 468 #endif /* INET6 */ 469 struct m_tag *mtag; 470 struct tdb_ident *tdbi; 471 472 #ifdef ENCDEBUG 473 char buf[INET6_ADDRSTRLEN]; 474 #endif 475 476 af = tdbp->tdb_dst.sa.sa_family; 477 sproto = tdbp->tdb_sproto; 478 479 tdbp->tdb_last_used = gettime(); 480 481 /* Sanity check */ 482 if (m == NULL) { 483 /* The called routine will print a message if necessary */ 484 IPSEC_ISTAT(esps_badkcr, ahs_badkcr, ipcomps_badkcr); 485 return -1; 486 } 487 488 /* Fix IPv4 header */ 489 if (af == AF_INET) { 490 if ((m->m_len < skip) && ((m = m_pullup(m, skip)) == NULL)) { 491 DPRINTF(("%s: processing failed for SA %s/%08x\n", 492 __func__, ipsp_address(&tdbp->tdb_dst, 493 buf, sizeof(buf)), ntohl(tdbp->tdb_spi))); 494 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 495 return -1; 496 } 497 498 ip = mtod(m, struct ip *); 499 ip->ip_len = htons(m->m_pkthdr.len); 500 ip->ip_sum = 0; 501 ip->ip_sum = in_cksum(m, ip->ip_hl << 2); 502 prot = ip->ip_p; 503 504 /* IP-in-IP encapsulation */ 505 if (prot == IPPROTO_IPIP) { 506 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { 507 m_freem(m); 508 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 509 ipcomps_hdrops); 510 return -1; 511 } 512 /* ipn will now contain the inner IPv4 header */ 513 m_copydata(m, skip, sizeof(struct ip), 514 (caddr_t) &ipn); 515 } 516 517 #ifdef INET6 518 /* IPv6-in-IP encapsulation. */ 519 if (prot == IPPROTO_IPV6) { 520 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { 521 m_freem(m); 522 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 523 ipcomps_hdrops); 524 return -1; 525 } 526 /* ip6n will now contain the inner IPv6 header. */ 527 m_copydata(m, skip, sizeof(struct ip6_hdr), 528 (caddr_t) &ip6n); 529 } 530 #endif /* INET6 */ 531 } 532 533 #ifdef INET6 534 /* Fix IPv6 header */ 535 if (af == AF_INET6) 536 { 537 if (m->m_len < sizeof(struct ip6_hdr) && 538 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 539 540 DPRINTF(("%s: processing failed for SA %s/%08x\n", 541 __func__, ipsp_address(&tdbp->tdb_dst, 542 buf, sizeof(buf)), ntohl(tdbp->tdb_spi))); 543 544 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 545 return -1; 546 } 547 548 ip6 = mtod(m, struct ip6_hdr *); 549 ip6->ip6_plen = htons(m->m_pkthdr.len - skip); 550 551 /* Save protocol */ 552 m_copydata(m, protoff, 1, (caddr_t) &prot); 553 554 /* IP-in-IP encapsulation */ 555 if (prot == IPPROTO_IPIP) { 556 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { 557 m_freem(m); 558 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 559 ipcomps_hdrops); 560 return -1; 561 } 562 /* ipn will now contain the inner IPv4 header */ 563 m_copydata(m, skip, sizeof(struct ip), (caddr_t) &ipn); 564 } 565 566 /* IPv6-in-IP encapsulation */ 567 if (prot == IPPROTO_IPV6) { 568 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { 569 m_freem(m); 570 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 571 ipcomps_hdrops); 572 return -1; 573 } 574 /* ip6n will now contain the inner IPv6 header. */ 575 m_copydata(m, skip, sizeof(struct ip6_hdr), 576 (caddr_t) &ip6n); 577 } 578 } 579 #endif /* INET6 */ 580 581 /* 582 * Fix TCP/UDP checksum of UDP encapsulated transport mode ESP packet. 583 * (RFC3948 3.1.2) 584 */ 585 if ((af == AF_INET || af == AF_INET6) && 586 (tdbp->tdb_flags & TDBF_UDPENCAP) && 587 (tdbp->tdb_flags & TDBF_TUNNELING) == 0) { 588 u_int16_t cksum; 589 590 switch (prot) { 591 case IPPROTO_UDP: 592 if (m->m_pkthdr.len < skip + sizeof(struct udphdr)) { 593 m_freem(m); 594 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 595 ipcomps_hdrops); 596 return -1; 597 } 598 cksum = 0; 599 m_copyback(m, skip + offsetof(struct udphdr, uh_sum), 600 sizeof(cksum), &cksum, M_NOWAIT); 601 #ifdef INET6 602 if (af == AF_INET6) { 603 cksum = in6_cksum(m, IPPROTO_UDP, skip, 604 m->m_pkthdr.len - skip); 605 m_copyback(m, skip + offsetof(struct udphdr, 606 uh_sum), sizeof(cksum), &cksum, M_NOWAIT); 607 } 608 #endif 609 break; 610 case IPPROTO_TCP: 611 if (m->m_pkthdr.len < skip + sizeof(struct tcphdr)) { 612 m_freem(m); 613 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 614 ipcomps_hdrops); 615 return -1; 616 } 617 cksum = 0; 618 m_copyback(m, skip + offsetof(struct tcphdr, th_sum), 619 sizeof(cksum), &cksum, M_NOWAIT); 620 if (af == AF_INET) 621 cksum = in4_cksum(m, IPPROTO_TCP, skip, 622 m->m_pkthdr.len - skip); 623 #ifdef INET6 624 else if (af == AF_INET6) 625 cksum = in6_cksum(m, IPPROTO_TCP, skip, 626 m->m_pkthdr.len - skip); 627 #endif 628 m_copyback(m, skip + offsetof(struct tcphdr, th_sum), 629 sizeof(cksum), &cksum, M_NOWAIT); 630 break; 631 } 632 } 633 634 /* 635 * Record what we've done to the packet (under what SA it was 636 * processed). 637 */ 638 if (tdbp->tdb_sproto != IPPROTO_IPCOMP) { 639 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 640 sizeof(struct tdb_ident), M_NOWAIT); 641 if (mtag == NULL) { 642 m_freem(m); 643 DPRINTF(("%s: failed to get tag\n", __func__)); 644 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 645 return -1; 646 } 647 648 tdbi = (struct tdb_ident *)(mtag + 1); 649 tdbi->dst = tdbp->tdb_dst; 650 tdbi->proto = tdbp->tdb_sproto; 651 tdbi->spi = tdbp->tdb_spi; 652 tdbi->rdomain = tdbp->tdb_rdomain; 653 654 m_tag_prepend(m, mtag); 655 } 656 657 switch (sproto) { 658 case IPPROTO_ESP: 659 /* Packet is confidential ? */ 660 if (tdbp->tdb_encalgxform) 661 m->m_flags |= M_CONF; 662 663 /* Check if we had authenticated ESP. */ 664 if (tdbp->tdb_authalgxform) 665 m->m_flags |= M_AUTH; 666 break; 667 case IPPROTO_AH: 668 m->m_flags |= M_AUTH; 669 break; 670 case IPPROTO_IPCOMP: 671 m->m_flags |= M_COMP; 672 break; 673 default: 674 panic("%s: unknown/unsupported security protocol %d", 675 __func__, sproto); 676 } 677 678 #if NPF > 0 679 /* Add pf tag if requested. */ 680 pf_tag_packet(m, tdbp->tdb_tag, -1); 681 pf_pkt_addr_changed(m); 682 #endif 683 if (tdbp->tdb_rdomain != tdbp->tdb_rdomain_post) 684 m->m_pkthdr.ph_rtableid = tdbp->tdb_rdomain_post; 685 686 if (tdbp->tdb_flags & TDBF_TUNNELING) 687 m->m_flags |= M_TUNNEL; 688 689 ipsecstat_add(ipsec_idecompbytes, m->m_pkthdr.len); 690 tdbp->tdb_idecompbytes += m->m_pkthdr.len; 691 692 #if NBPFILTER > 0 693 if ((encif = enc_getif(tdbp->tdb_rdomain_post, tdbp->tdb_tap)) != NULL) { 694 encif->if_ipackets++; 695 encif->if_ibytes += m->m_pkthdr.len; 696 697 if (encif->if_bpf) { 698 struct enchdr hdr; 699 700 hdr.af = af; 701 hdr.spi = tdbp->tdb_spi; 702 hdr.flags = m->m_flags & (M_AUTH|M_CONF); 703 704 bpf_mtap_hdr(encif->if_bpf, (char *)&hdr, 705 ENC_HDRLEN, m, BPF_DIRECTION_IN); 706 } 707 } 708 #endif 709 710 #if NPF > 0 711 /* 712 * The ip_deliver() shortcut avoids running through ip_input() with the 713 * same IP header twice. Packets in transport mode have to be be 714 * passed to pf explicitly. In tunnel mode the inner IP header will 715 * run through ip_input() and pf anyway. 716 */ 717 if ((tdbp->tdb_flags & TDBF_TUNNELING) == 0) { 718 struct ifnet *ifp; 719 720 /* This is the enc0 interface unless for ipcomp. */ 721 if ((ifp = if_get(m->m_pkthdr.ph_ifidx)) == NULL) { 722 m_freem(m); 723 return -1; 724 } 725 if (pf_test(af, PF_IN, ifp, &m) != PF_PASS) { 726 if_put(ifp); 727 m_freem(m); 728 return -1; 729 } 730 if_put(ifp); 731 if (m == NULL) 732 return -1; 733 } 734 #endif 735 /* Call the appropriate IPsec transform callback. */ 736 ip_deliver(&m, &skip, prot, af); 737 return 0; 738 #undef IPSEC_ISTAT 739 } 740 741 int 742 ipsec_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 743 size_t newlen) 744 { 745 int error; 746 747 switch (name[0]) { 748 case IPCTL_IPSEC_ENC_ALGORITHM: 749 NET_LOCK(); 750 error = sysctl_tstring(oldp, oldlenp, newp, newlen, 751 ipsec_def_enc, sizeof(ipsec_def_enc)); 752 NET_UNLOCK(); 753 return (error); 754 case IPCTL_IPSEC_AUTH_ALGORITHM: 755 NET_LOCK(); 756 error = sysctl_tstring(oldp, oldlenp, newp, newlen, 757 ipsec_def_auth, sizeof(ipsec_def_auth)); 758 NET_UNLOCK(); 759 return (error); 760 case IPCTL_IPSEC_IPCOMP_ALGORITHM: 761 NET_LOCK(); 762 error = sysctl_tstring(oldp, oldlenp, newp, newlen, 763 ipsec_def_comp, sizeof(ipsec_def_comp)); 764 NET_UNLOCK(); 765 return (error); 766 case IPCTL_IPSEC_STATS: 767 return (ipsec_sysctl_ipsecstat(oldp, oldlenp, newp)); 768 default: 769 NET_LOCK(); 770 error = sysctl_bounded_arr(ipsecctl_vars, nitems(ipsecctl_vars), 771 name, namelen, oldp, oldlenp, newp, newlen); 772 NET_UNLOCK(); 773 return (error); 774 } 775 } 776 777 int 778 esp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 779 size_t newlen) 780 { 781 int error; 782 783 /* All sysctl names at this level are terminal. */ 784 if (namelen != 1) 785 return (ENOTDIR); 786 787 switch (name[0]) { 788 case ESPCTL_STATS: 789 return (esp_sysctl_espstat(oldp, oldlenp, newp)); 790 default: 791 NET_LOCK(); 792 error = sysctl_bounded_arr(espctl_vars, nitems(espctl_vars), 793 name, namelen, oldp, oldlenp, newp, newlen); 794 NET_UNLOCK(); 795 return (error); 796 } 797 } 798 799 int 800 esp_sysctl_espstat(void *oldp, size_t *oldlenp, void *newp) 801 { 802 struct espstat espstat; 803 804 CTASSERT(sizeof(espstat) == (esps_ncounters * sizeof(uint64_t))); 805 memset(&espstat, 0, sizeof espstat); 806 counters_read(espcounters, (uint64_t *)&espstat, esps_ncounters); 807 return (sysctl_rdstruct(oldp, oldlenp, newp, &espstat, 808 sizeof(espstat))); 809 } 810 811 int 812 ah_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 813 size_t newlen) 814 { 815 int error; 816 817 /* All sysctl names at this level are terminal. */ 818 if (namelen != 1) 819 return (ENOTDIR); 820 821 switch (name[0]) { 822 case AHCTL_STATS: 823 return ah_sysctl_ahstat(oldp, oldlenp, newp); 824 default: 825 NET_LOCK(); 826 error = sysctl_bounded_arr(ahctl_vars, nitems(ahctl_vars), name, 827 namelen, oldp, oldlenp, newp, newlen); 828 NET_UNLOCK(); 829 return (error); 830 } 831 } 832 833 int 834 ah_sysctl_ahstat(void *oldp, size_t *oldlenp, void *newp) 835 { 836 struct ahstat ahstat; 837 838 CTASSERT(sizeof(ahstat) == (ahs_ncounters * sizeof(uint64_t))); 839 memset(&ahstat, 0, sizeof ahstat); 840 counters_read(ahcounters, (uint64_t *)&ahstat, ahs_ncounters); 841 return (sysctl_rdstruct(oldp, oldlenp, newp, &ahstat, sizeof(ahstat))); 842 } 843 844 int 845 ipcomp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 846 size_t newlen) 847 { 848 int error; 849 850 /* All sysctl names at this level are terminal. */ 851 if (namelen != 1) 852 return (ENOTDIR); 853 854 switch (name[0]) { 855 case IPCOMPCTL_STATS: 856 return ipcomp_sysctl_ipcompstat(oldp, oldlenp, newp); 857 default: 858 NET_LOCK(); 859 error = sysctl_bounded_arr(ipcompctl_vars, 860 nitems(ipcompctl_vars), name, namelen, oldp, oldlenp, 861 newp, newlen); 862 NET_UNLOCK(); 863 return (error); 864 } 865 } 866 867 int 868 ipcomp_sysctl_ipcompstat(void *oldp, size_t *oldlenp, void *newp) 869 { 870 struct ipcompstat ipcompstat; 871 872 CTASSERT(sizeof(ipcompstat) == (ipcomps_ncounters * sizeof(uint64_t))); 873 memset(&ipcompstat, 0, sizeof ipcompstat); 874 counters_read(ipcompcounters, (uint64_t *)&ipcompstat, 875 ipcomps_ncounters); 876 return (sysctl_rdstruct(oldp, oldlenp, newp, &ipcompstat, 877 sizeof(ipcompstat))); 878 } 879 880 int 881 ipsec_sysctl_ipsecstat(void *oldp, size_t *oldlenp, void *newp) 882 { 883 struct ipsecstat ipsecstat; 884 885 CTASSERT(sizeof(ipsecstat) == (ipsec_ncounters * sizeof(uint64_t))); 886 memset(&ipsecstat, 0, sizeof ipsecstat); 887 counters_read(ipseccounters, (uint64_t *)&ipsecstat, ipsec_ncounters); 888 return (sysctl_rdstruct(oldp, oldlenp, newp, &ipsecstat, 889 sizeof(ipsecstat))); 890 } 891 892 /* IPv4 AH wrapper. */ 893 int 894 ah4_input(struct mbuf **mp, int *offp, int proto, int af) 895 { 896 if ( 897 #if NPF > 0 898 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 899 #endif 900 !ah_enable) 901 return rip_input(mp, offp, proto, af); 902 903 ipsec_common_input(*mp, *offp, offsetof(struct ip, ip_p), AF_INET, 904 proto, 0); 905 return IPPROTO_DONE; 906 } 907 908 void 909 ah4_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 910 { 911 if (sa->sa_family != AF_INET || 912 sa->sa_len != sizeof(struct sockaddr_in)) 913 return; 914 915 ipsec_common_ctlinput(rdomain, cmd, sa, v, IPPROTO_AH); 916 } 917 918 /* IPv4 ESP wrapper. */ 919 int 920 esp4_input(struct mbuf **mp, int *offp, int proto, int af) 921 { 922 if ( 923 #if NPF > 0 924 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 925 #endif 926 !esp_enable) 927 return rip_input(mp, offp, proto, af); 928 929 ipsec_common_input(*mp, *offp, offsetof(struct ip, ip_p), AF_INET, 930 proto, 0); 931 return IPPROTO_DONE; 932 } 933 934 /* IPv4 IPCOMP wrapper */ 935 int 936 ipcomp4_input(struct mbuf **mp, int *offp, int proto, int af) 937 { 938 if ( 939 #if NPF > 0 940 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 941 #endif 942 !ipcomp_enable) 943 return rip_input(mp, offp, proto, af); 944 945 ipsec_common_input(*mp, *offp, offsetof(struct ip, ip_p), AF_INET, 946 proto, 0); 947 return IPPROTO_DONE; 948 } 949 950 void 951 ipsec_common_ctlinput(u_int rdomain, int cmd, struct sockaddr *sa, 952 void *v, int proto) 953 { 954 struct ip *ip = v; 955 956 if (cmd == PRC_MSGSIZE && ip && ip_mtudisc && ip->ip_v == 4) { 957 struct tdb *tdbp; 958 struct sockaddr_in dst; 959 struct icmp *icp; 960 int hlen = ip->ip_hl << 2; 961 u_int32_t spi, mtu; 962 ssize_t adjust; 963 964 /* Find the right MTU. */ 965 icp = (struct icmp *)((caddr_t) ip - 966 offsetof(struct icmp, icmp_ip)); 967 mtu = ntohs(icp->icmp_nextmtu); 968 969 /* 970 * Ignore the packet, if we do not receive a MTU 971 * or the MTU is too small to be acceptable. 972 */ 973 if (mtu < 296) 974 return; 975 976 memset(&dst, 0, sizeof(struct sockaddr_in)); 977 dst.sin_family = AF_INET; 978 dst.sin_len = sizeof(struct sockaddr_in); 979 dst.sin_addr.s_addr = ip->ip_dst.s_addr; 980 981 memcpy(&spi, (caddr_t)ip + hlen, sizeof(u_int32_t)); 982 983 tdbp = gettdb_rev(rdomain, spi, (union sockaddr_union *)&dst, 984 proto); 985 if (tdbp == NULL || tdbp->tdb_flags & TDBF_INVALID) 986 return; 987 988 /* Walk the chain backwards to the first tdb */ 989 NET_ASSERT_LOCKED(); 990 for (; tdbp; tdbp = tdbp->tdb_inext) { 991 if (tdbp->tdb_flags & TDBF_INVALID || 992 (adjust = ipsec_hdrsz(tdbp)) == -1) 993 return; 994 995 mtu -= adjust; 996 997 /* Store adjusted MTU in tdb */ 998 tdbp->tdb_mtu = mtu; 999 tdbp->tdb_mtutimeout = gettime() + 1000 ip_mtudisc_timeout; 1001 DPRINTF(("%s: spi %08x mtu %d adjust %ld\n", __func__, 1002 ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, 1003 adjust)); 1004 } 1005 } 1006 } 1007 1008 void 1009 udpencap_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 1010 { 1011 struct ip *ip = v; 1012 struct tdb *tdbp; 1013 struct icmp *icp; 1014 u_int32_t mtu; 1015 ssize_t adjust; 1016 struct sockaddr_in dst, src; 1017 union sockaddr_union *su_dst, *su_src; 1018 1019 NET_ASSERT_LOCKED(); 1020 1021 icp = (struct icmp *)((caddr_t) ip - offsetof(struct icmp, icmp_ip)); 1022 mtu = ntohs(icp->icmp_nextmtu); 1023 1024 /* 1025 * Ignore the packet, if we do not receive a MTU 1026 * or the MTU is too small to be acceptable. 1027 */ 1028 if (mtu < 296) 1029 return; 1030 1031 memset(&dst, 0, sizeof(dst)); 1032 dst.sin_family = AF_INET; 1033 dst.sin_len = sizeof(struct sockaddr_in); 1034 dst.sin_addr.s_addr = ip->ip_dst.s_addr; 1035 su_dst = (union sockaddr_union *)&dst; 1036 memset(&src, 0, sizeof(src)); 1037 src.sin_family = AF_INET; 1038 src.sin_len = sizeof(struct sockaddr_in); 1039 src.sin_addr.s_addr = ip->ip_src.s_addr; 1040 su_src = (union sockaddr_union *)&src; 1041 1042 tdbp = gettdbbysrcdst_rev(rdomain, 0, su_src, su_dst, 1043 IPPROTO_ESP); 1044 1045 for (; tdbp != NULL; tdbp = tdbp->tdb_snext) { 1046 if (tdbp->tdb_sproto == IPPROTO_ESP && 1047 ((tdbp->tdb_flags & (TDBF_INVALID|TDBF_UDPENCAP)) == 1048 TDBF_UDPENCAP) && 1049 !memcmp(&tdbp->tdb_dst, &dst, su_dst->sa.sa_len) && 1050 !memcmp(&tdbp->tdb_src, &src, su_src->sa.sa_len)) { 1051 if ((adjust = ipsec_hdrsz(tdbp)) != -1) { 1052 /* Store adjusted MTU in tdb */ 1053 tdbp->tdb_mtu = mtu - adjust; 1054 tdbp->tdb_mtutimeout = gettime() + 1055 ip_mtudisc_timeout; 1056 DPRINTF(("%s: spi %08x mtu %d adjust %ld\n", 1057 __func__, 1058 ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, 1059 adjust)); 1060 } 1061 } 1062 } 1063 } 1064 1065 void 1066 esp4_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 1067 { 1068 if (sa->sa_family != AF_INET || 1069 sa->sa_len != sizeof(struct sockaddr_in)) 1070 return; 1071 1072 ipsec_common_ctlinput(rdomain, cmd, sa, v, IPPROTO_ESP); 1073 } 1074 1075 #ifdef INET6 1076 /* IPv6 AH wrapper. */ 1077 int 1078 ah6_input(struct mbuf **mp, int *offp, int proto, int af) 1079 { 1080 int l = 0; 1081 int protoff, nxt; 1082 struct ip6_ext ip6e; 1083 1084 if ( 1085 #if NPF > 0 1086 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 1087 #endif 1088 !ah_enable) 1089 return rip6_input(mp, offp, proto, af); 1090 1091 if (*offp < sizeof(struct ip6_hdr)) { 1092 DPRINTF(("%s: bad offset\n", __func__)); 1093 ahstat_inc(ahs_hdrops); 1094 m_freemp(mp); 1095 return IPPROTO_DONE; 1096 } else if (*offp == sizeof(struct ip6_hdr)) { 1097 protoff = offsetof(struct ip6_hdr, ip6_nxt); 1098 } else { 1099 /* Chase down the header chain... */ 1100 protoff = sizeof(struct ip6_hdr); 1101 nxt = (mtod(*mp, struct ip6_hdr *))->ip6_nxt; 1102 1103 do { 1104 protoff += l; 1105 m_copydata(*mp, protoff, sizeof(ip6e), 1106 (caddr_t) &ip6e); 1107 1108 if (nxt == IPPROTO_AH) 1109 l = (ip6e.ip6e_len + 2) << 2; 1110 else 1111 l = (ip6e.ip6e_len + 1) << 3; 1112 #ifdef DIAGNOSTIC 1113 if (l <= 0) 1114 panic("ah6_input: l went zero or negative"); 1115 #endif 1116 1117 nxt = ip6e.ip6e_nxt; 1118 } while (protoff + l < *offp); 1119 1120 /* Malformed packet check */ 1121 if (protoff + l != *offp) { 1122 DPRINTF(("%s: bad packet header chain\n", __func__)); 1123 ahstat_inc(ahs_hdrops); 1124 m_freemp(mp); 1125 return IPPROTO_DONE; 1126 } 1127 protoff += offsetof(struct ip6_ext, ip6e_nxt); 1128 } 1129 ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto, 0); 1130 return IPPROTO_DONE; 1131 } 1132 1133 /* IPv6 ESP wrapper. */ 1134 int 1135 esp6_input(struct mbuf **mp, int *offp, int proto, int af) 1136 { 1137 int l = 0; 1138 int protoff, nxt; 1139 struct ip6_ext ip6e; 1140 1141 if ( 1142 #if NPF > 0 1143 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 1144 #endif 1145 !esp_enable) 1146 return rip6_input(mp, offp, proto, af); 1147 1148 if (*offp < sizeof(struct ip6_hdr)) { 1149 DPRINTF(("%s: bad offset\n", __func__)); 1150 espstat_inc(esps_hdrops); 1151 m_freemp(mp); 1152 return IPPROTO_DONE; 1153 } else if (*offp == sizeof(struct ip6_hdr)) { 1154 protoff = offsetof(struct ip6_hdr, ip6_nxt); 1155 } else { 1156 /* Chase down the header chain... */ 1157 protoff = sizeof(struct ip6_hdr); 1158 nxt = (mtod(*mp, struct ip6_hdr *))->ip6_nxt; 1159 1160 do { 1161 protoff += l; 1162 m_copydata(*mp, protoff, sizeof(ip6e), 1163 (caddr_t) &ip6e); 1164 1165 if (nxt == IPPROTO_AH) 1166 l = (ip6e.ip6e_len + 2) << 2; 1167 else 1168 l = (ip6e.ip6e_len + 1) << 3; 1169 #ifdef DIAGNOSTIC 1170 if (l <= 0) 1171 panic("esp6_input: l went zero or negative"); 1172 #endif 1173 1174 nxt = ip6e.ip6e_nxt; 1175 } while (protoff + l < *offp); 1176 1177 /* Malformed packet check */ 1178 if (protoff + l != *offp) { 1179 DPRINTF(("%s: bad packet header chain\n", __func__)); 1180 espstat_inc(esps_hdrops); 1181 m_freemp(mp); 1182 return IPPROTO_DONE; 1183 } 1184 protoff += offsetof(struct ip6_ext, ip6e_nxt); 1185 } 1186 ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto, 0); 1187 return IPPROTO_DONE; 1188 1189 } 1190 1191 /* IPv6 IPcomp wrapper */ 1192 int 1193 ipcomp6_input(struct mbuf **mp, int *offp, int proto, int af) 1194 { 1195 int l = 0; 1196 int protoff, nxt; 1197 struct ip6_ext ip6e; 1198 1199 if ( 1200 #if NPF > 0 1201 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 1202 #endif 1203 !ipcomp_enable) 1204 return rip6_input(mp, offp, proto, af); 1205 1206 if (*offp < sizeof(struct ip6_hdr)) { 1207 DPRINTF(("%s: bad offset\n", __func__)); 1208 ipcompstat_inc(ipcomps_hdrops); 1209 m_freemp(mp); 1210 return IPPROTO_DONE; 1211 } else if (*offp == sizeof(struct ip6_hdr)) { 1212 protoff = offsetof(struct ip6_hdr, ip6_nxt); 1213 } else { 1214 /* Chase down the header chain... */ 1215 protoff = sizeof(struct ip6_hdr); 1216 nxt = (mtod(*mp, struct ip6_hdr *))->ip6_nxt; 1217 1218 do { 1219 protoff += l; 1220 m_copydata(*mp, protoff, sizeof(ip6e), 1221 (caddr_t) &ip6e); 1222 if (nxt == IPPROTO_AH) 1223 l = (ip6e.ip6e_len + 2) << 2; 1224 else 1225 l = (ip6e.ip6e_len + 1) << 3; 1226 #ifdef DIAGNOSTIC 1227 if (l <= 0) 1228 panic("l went zero or negative"); 1229 #endif 1230 1231 nxt = ip6e.ip6e_nxt; 1232 } while (protoff + l < *offp); 1233 1234 /* Malformed packet check */ 1235 if (protoff + l != *offp) { 1236 DPRINTF(("%s: bad packet header chain\n", __func__)); 1237 ipcompstat_inc(ipcomps_hdrops); 1238 m_freemp(mp); 1239 return IPPROTO_DONE; 1240 } 1241 1242 protoff += offsetof(struct ip6_ext, ip6e_nxt); 1243 } 1244 ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto, 0); 1245 return IPPROTO_DONE; 1246 } 1247 #endif /* INET6 */ 1248 1249 int 1250 ipsec_forward_check(struct mbuf *m, int hlen, int af) 1251 { 1252 struct tdb *tdb; 1253 struct tdb_ident *tdbi; 1254 struct m_tag *mtag; 1255 int error = 0; 1256 1257 /* 1258 * IPsec policy check for forwarded packets. Look at 1259 * inner-most IPsec SA used. 1260 */ 1261 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 1262 if (mtag != NULL) { 1263 tdbi = (struct tdb_ident *)(mtag + 1); 1264 tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, tdbi->proto); 1265 } else 1266 tdb = NULL; 1267 ipsp_spd_lookup(m, af, hlen, &error, IPSP_DIRECTION_IN, tdb, NULL, 0); 1268 1269 return error; 1270 } 1271 1272 int 1273 ipsec_local_check(struct mbuf *m, int hlen, int proto, int af) 1274 { 1275 struct tdb *tdb; 1276 struct tdb_ident *tdbi; 1277 struct m_tag *mtag; 1278 int error = 0; 1279 1280 /* 1281 * If it's a protected packet for us, skip the policy check. 1282 * That's because we really only care about the properties of 1283 * the protected packet, and not the intermediate versions. 1284 * While this is not the most paranoid setting, it allows 1285 * some flexibility in handling nested tunnels (in setting up 1286 * the policies). 1287 */ 1288 if ((proto == IPPROTO_ESP) || (proto == IPPROTO_AH) || 1289 (proto == IPPROTO_IPCOMP)) 1290 return 0; 1291 1292 /* 1293 * If the protected packet was tunneled, then we need to 1294 * verify the protected packet's information, not the 1295 * external headers. Thus, skip the policy lookup for the 1296 * external packet, and keep the IPsec information linked on 1297 * the packet header (the encapsulation routines know how 1298 * to deal with that). 1299 */ 1300 if ((proto == IPPROTO_IPV4) || (proto == IPPROTO_IPV6)) 1301 return 0; 1302 1303 /* 1304 * When processing IPv6 header chains, do not look at the 1305 * outer header. The inner protocol is relevant and will 1306 * be checked by the local delivery loop later. 1307 */ 1308 if ((af == AF_INET6) && ((proto == IPPROTO_DSTOPTS) || 1309 (proto == IPPROTO_ROUTING) || (proto == IPPROTO_FRAGMENT))) 1310 return 0; 1311 1312 /* 1313 * If the protected packet is TCP or UDP, we'll do the 1314 * policy check in the respective input routine, so we can 1315 * check for bypass sockets. 1316 */ 1317 if ((proto == IPPROTO_TCP) || (proto == IPPROTO_UDP)) 1318 return 0; 1319 1320 /* 1321 * IPsec policy check for local-delivery packets. Look at the 1322 * inner-most SA that protected the packet. This is in fact 1323 * a bit too restrictive (it could end up causing packets to 1324 * be dropped that semantically follow the policy, e.g., in 1325 * certain SA-bundle configurations); but the alternative is 1326 * very complicated (and requires keeping track of what 1327 * kinds of tunneling headers have been seen in-between the 1328 * IPsec headers), and I don't think we lose much functionality 1329 * that's needed in the real world (who uses bundles anyway ?). 1330 */ 1331 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 1332 if (mtag) { 1333 tdbi = (struct tdb_ident *)(mtag + 1); 1334 tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, 1335 tdbi->proto); 1336 } else 1337 tdb = NULL; 1338 ipsp_spd_lookup(m, af, hlen, &error, IPSP_DIRECTION_IN, 1339 tdb, NULL, 0); 1340 1341 return error; 1342 } 1343