1 /* $NetBSD: ipsec_input.c,v 1.6 2003/10/06 22:05:15 tls Exp $ */ 2 /* $FreeBSD: src/sys/netipsec/ipsec_input.c,v 1.2.4.1 2003/01/24 05:11:35 sam Exp $ */ 3 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ 4 5 #include <sys/cdefs.h> 6 __KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.6 2003/10/06 22:05:15 tls Exp $"); 7 8 /* 9 * IPsec input processing. 10 */ 11 12 #include "opt_inet.h" 13 #ifdef __FreeBSD__ 14 #include "opt_inet6.h" 15 #endif 16 #include "opt_ipsec.h" 17 18 #include <sys/param.h> 19 #include <sys/systm.h> 20 #include <sys/malloc.h> 21 #include <sys/mbuf.h> 22 #include <sys/domain.h> 23 #include <sys/protosw.h> 24 #include <sys/socket.h> 25 #include <sys/errno.h> 26 #include <sys/syslog.h> 27 28 #include <net/if.h> 29 #include <net/route.h> 30 #include <net/netisr.h> 31 32 #include <netinet/in.h> 33 #include <netinet/in_systm.h> 34 #include <netinet/ip.h> 35 #include <netinet/ip_var.h> 36 #include <netinet/in_var.h> 37 38 #include <netinet/ip6.h> 39 #ifdef INET6 40 #include <netinet6/ip6_var.h> 41 #endif 42 #include <netinet/in_pcb.h> 43 #ifdef INET6 44 #include <netinet/icmp6.h> 45 #endif 46 47 #include <netipsec/ipsec.h> 48 #ifdef INET6 49 #include <netipsec/ipsec6.h> 50 #endif 51 #include <netipsec/ah_var.h> 52 #include <netipsec/esp.h> 53 #include <netipsec/esp_var.h> 54 #include <netipsec/ipcomp_var.h> 55 56 #include <netipsec/key.h> 57 #include <netipsec/keydb.h> 58 59 #include <netipsec/xform.h> 60 #include <netinet6/ip6protosw.h> 61 62 #include <netipsec/ipsec_osdep.h> 63 64 #include <machine/stdarg.h> 65 66 #include <net/net_osdep.h> 67 68 #define IPSEC_ISTAT(p,x,y,z) ((p) == IPPROTO_ESP ? (x)++ : \ 69 (p) == IPPROTO_AH ? (y)++ : (z)++) 70 71 /* 72 * ipsec_common_input gets called when an IPsec-protected packet 73 * is received by IPv4 or IPv6. It's job is to find the right SA 74 # and call the appropriate transform. The transform callback 75 * takes care of further processing (like ingress filtering). 76 */ 77 static int 78 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) 79 { 80 union sockaddr_union dst_address; 81 struct secasvar *sav; 82 u_int32_t spi; 83 int s, error; 84 85 IPSEC_ISTAT(sproto, espstat.esps_input, ahstat.ahs_input, 86 ipcompstat.ipcomps_input); 87 88 IPSEC_ASSERT(m != NULL, ("ipsec_common_input: null packet")); 89 90 if ((sproto == IPPROTO_ESP && !esp_enable) || 91 (sproto == IPPROTO_AH && !ah_enable) || 92 (sproto == IPPROTO_IPCOMP && !ipcomp_enable)) { 93 m_freem(m); 94 IPSEC_ISTAT(sproto, espstat.esps_pdrops, ahstat.ahs_pdrops, 95 ipcompstat.ipcomps_pdrops); 96 return EOPNOTSUPP; 97 } 98 99 if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) { 100 m_freem(m); 101 IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops, 102 ipcompstat.ipcomps_hdrops); 103 DPRINTF(("ipsec_common_input: packet too small\n")); 104 return EINVAL; 105 } 106 107 /* Retrieve the SPI from the relevant IPsec header */ 108 if (sproto == IPPROTO_ESP) 109 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi); 110 else if (sproto == IPPROTO_AH) 111 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 112 (caddr_t) &spi); 113 else if (sproto == IPPROTO_IPCOMP) { 114 u_int16_t cpi; 115 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t), 116 (caddr_t) &cpi); 117 spi = ntohl(htons(cpi)); 118 } 119 120 /* 121 * Find the SA and (indirectly) call the appropriate 122 * kernel crypto routine. The resulting mbuf chain is a valid 123 * IP packet ready to go through input processing. 124 */ 125 bzero(&dst_address, sizeof (dst_address)); 126 dst_address.sa.sa_family = af; 127 switch (af) { 128 #ifdef INET 129 case AF_INET: 130 dst_address.sin.sin_len = sizeof(struct sockaddr_in); 131 m_copydata(m, offsetof(struct ip, ip_dst), 132 sizeof(struct in_addr), 133 (caddr_t) &dst_address.sin.sin_addr); 134 break; 135 #endif /* INET */ 136 #ifdef INET6 137 case AF_INET6: 138 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6); 139 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 140 sizeof(struct in6_addr), 141 (caddr_t) &dst_address.sin6.sin6_addr); 142 break; 143 #endif /* INET6 */ 144 default: 145 DPRINTF(("ipsec_common_input: unsupported protocol " 146 "family %u\n", af)); 147 m_freem(m); 148 IPSEC_ISTAT(sproto, espstat.esps_nopf, ahstat.ahs_nopf, 149 ipcompstat.ipcomps_nopf); 150 return EPFNOSUPPORT; 151 } 152 153 s = splsoftnet(); 154 155 /* NB: only pass dst since key_allocsa follows RFC2401 */ 156 sav = KEY_ALLOCSA(&dst_address, sproto, spi); 157 if (sav == NULL) { 158 DPRINTF(("ipsec_common_input: no key association found for" 159 " SA %s/%08lx/%u\n", 160 ipsec_address(&dst_address), 161 (u_long) ntohl(spi), sproto)); 162 IPSEC_ISTAT(sproto, espstat.esps_notdb, ahstat.ahs_notdb, 163 ipcompstat.ipcomps_notdb); 164 splx(s); 165 m_freem(m); 166 return ENOENT; 167 } 168 169 if (sav->tdb_xform == NULL) { 170 DPRINTF(("ipsec_common_input: attempted to use uninitialized" 171 " SA %s/%08lx/%u\n", 172 ipsec_address(&dst_address), 173 (u_long) ntohl(spi), sproto)); 174 IPSEC_ISTAT(sproto, espstat.esps_noxform, ahstat.ahs_noxform, 175 ipcompstat.ipcomps_noxform); 176 KEY_FREESAV(&sav); 177 splx(s); 178 m_freem(m); 179 return ENXIO; 180 } 181 182 /* 183 * Call appropriate transform and return -- callback takes care of 184 * everything else. 185 */ 186 error = (*sav->tdb_xform->xf_input)(m, sav, skip, protoff); 187 KEY_FREESAV(&sav); 188 splx(s); 189 return error; 190 } 191 192 #ifdef INET 193 /* 194 * Common input handler for IPv4 AH, ESP, and IPCOMP. 195 */ 196 void 197 ipsec4_common_input(struct mbuf *m, ...) 198 { 199 va_list ap; 200 int off, nxt; 201 202 va_start(ap, m); 203 off = va_arg(ap, int); 204 nxt = va_arg(ap, int); 205 va_end(ap); 206 207 (void) ipsec_common_input(m, off, offsetof(struct ip, ip_p), 208 AF_INET, nxt); 209 } 210 211 /* 212 * IPsec input callback for INET protocols. 213 * This routine is called as the transform callback. 214 * Takes care of filtering and other sanity checks on 215 * the processed packet. 216 */ 217 int 218 ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, 219 int skip, int protoff, struct m_tag *mt) 220 { 221 int prot, af, sproto; 222 struct ip *ip; 223 struct m_tag *mtag; 224 struct tdb_ident *tdbi; 225 struct secasindex *saidx; 226 int error; 227 228 IPSEC_SPLASSERT_SOFTNET("ipsec4_common_input_cb"); 229 230 IPSEC_ASSERT(m != NULL, ("ipsec4_common_input_cb: null mbuf")); 231 IPSEC_ASSERT(sav != NULL, ("ipsec4_common_input_cb: null SA")); 232 IPSEC_ASSERT(sav->sah != NULL, ("ipsec4_common_input_cb: null SAH")); 233 saidx = &sav->sah->saidx; 234 af = saidx->dst.sa.sa_family; 235 IPSEC_ASSERT(af == AF_INET, ("ipsec4_common_input_cb: unexpected af %u",af)); 236 sproto = saidx->proto; 237 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 238 sproto == IPPROTO_IPCOMP, 239 ("ipsec4_common_input_cb: unexpected security protocol %u", 240 sproto)); 241 242 /* Sanity check */ 243 if (m == NULL) { 244 DPRINTF(("ipsec4_common_input_cb: null mbuf")); 245 IPSEC_ISTAT(sproto, espstat.esps_badkcr, ahstat.ahs_badkcr, 246 ipcompstat.ipcomps_badkcr); 247 KEY_FREESAV(&sav); 248 return EINVAL; 249 } 250 251 if (skip != 0) { 252 /* Fix IPv4 header */ 253 if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) { 254 DPRINTF(("ipsec4_common_input_cb: processing failed " 255 "for SA %s/%08lx\n", 256 ipsec_address(&sav->sah->saidx.dst), 257 (u_long) ntohl(sav->spi))); 258 IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops, 259 ipcompstat.ipcomps_hdrops); 260 error = ENOBUFS; 261 goto bad; 262 } 263 264 ip = mtod(m, struct ip *); 265 ip->ip_len = htons(m->m_pkthdr.len); 266 #ifdef __FreeBSD__ 267 /* On FreeBSD, ip_off and ip_len assumed in host endian. */ 268 ip->ip_off = htons(ip->ip_off); 269 #endif 270 ip->ip_sum = 0; 271 ip->ip_sum = in_cksum(m, ip->ip_hl << 2); 272 } else { 273 ip = mtod(m, struct ip *); 274 } 275 prot = ip->ip_p; 276 277 /* IP-in-IP encapsulation */ 278 if (prot == IPPROTO_IPIP) { 279 struct ip ipn; 280 281 /* ipn will now contain the inner IPv4 header */ 282 m_copydata(m, ip->ip_hl << 2, sizeof(struct ip), 283 (caddr_t) &ipn); 284 285 #ifdef notyet 286 /* XXX PROXY address isn't recorded in SAH */ 287 /* 288 * Check that the inner source address is the same as 289 * the proxy address, if available. 290 */ 291 if ((saidx->proxy.sa.sa_family == AF_INET && 292 saidx->proxy.sin.sin_addr.s_addr != 293 INADDR_ANY && 294 ipn.ip_src.s_addr != 295 saidx->proxy.sin.sin_addr.s_addr) || 296 (saidx->proxy.sa.sa_family != AF_INET && 297 saidx->proxy.sa.sa_family != 0)) { 298 299 DPRINTF(("ipsec4_common_input_cb: inner " 300 "source address %s doesn't correspond to " 301 "expected proxy source %s, SA %s/%08lx\n", 302 inet_ntoa4(ipn.ip_src), 303 ipsp_address(saidx->proxy), 304 ipsp_address(saidx->dst), 305 (u_long) ntohl(sav->spi))); 306 307 IPSEC_ISTAT(sproto, espstat.esps_pdrops, 308 ahstat.ahs_pdrops, 309 ipcompstat.ipcomps_pdrops); 310 error = EACCES; 311 goto bad; 312 } 313 #endif /*XXX*/ 314 } 315 #if INET6 316 /* IPv6-in-IP encapsulation. */ 317 if (prot == IPPROTO_IPV6) { 318 struct ip6_hdr ip6n; 319 320 /* ip6n will now contain the inner IPv6 header. */ 321 m_copydata(m, ip->ip_hl << 2, sizeof(struct ip6_hdr), 322 (caddr_t) &ip6n); 323 324 #ifdef notyet 325 /* 326 * Check that the inner source address is the same as 327 * the proxy address, if available. 328 */ 329 if ((saidx->proxy.sa.sa_family == AF_INET6 && 330 !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) && 331 !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src, 332 &saidx->proxy.sin6.sin6_addr)) || 333 (saidx->proxy.sa.sa_family != AF_INET6 && 334 saidx->proxy.sa.sa_family != 0)) { 335 336 DPRINTF(("ipsec4_common_input_cb: inner " 337 "source address %s doesn't correspond to " 338 "expected proxy source %s, SA %s/%08lx\n", 339 ip6_sprintf(&ip6n.ip6_src), 340 ipsec_address(&saidx->proxy), 341 ipsec_address(&saidx->dst), 342 (u_long) ntohl(sav->spi))); 343 344 IPSEC_ISTAT(sproto, espstat.esps_pdrops, 345 ahstat.ahs_pdrops, 346 ipcompstat.ipcomps_pdrops); 347 error = EACCES; 348 goto bad; 349 } 350 #endif /*XXX*/ 351 } 352 #endif /* INET6 */ 353 354 /* 355 * Record what we've done to the packet (under what SA it was 356 * processed). If we've been passed an mtag, it means the packet 357 * was already processed by an ethernet/crypto combo card and 358 * thus has a tag attached with all the right information, but 359 * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to 360 * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type. 361 */ 362 if (mt == NULL && sproto != IPPROTO_IPCOMP) { 363 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 364 sizeof(struct tdb_ident), M_NOWAIT); 365 if (mtag == NULL) { 366 DPRINTF(("ipsec4_common_input_cb: failed to get tag\n")); 367 IPSEC_ISTAT(sproto, espstat.esps_hdrops, 368 ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); 369 error = ENOMEM; 370 goto bad; 371 } 372 373 tdbi = (struct tdb_ident *)(mtag + 1); 374 bcopy(&saidx->dst, &tdbi->dst, saidx->dst.sa.sa_len); 375 tdbi->proto = sproto; 376 tdbi->spi = sav->spi; 377 378 m_tag_prepend(m, mtag); 379 } else { 380 mt->m_tag_id = PACKET_TAG_IPSEC_IN_DONE; 381 /* XXX do we need to mark m_flags??? */ 382 } 383 384 key_sa_recordxfer(sav, m); /* record data transfer */ 385 386 /* 387 * Re-dispatch via software interrupt. 388 */ 389 if (!IF_HANDOFF(&ipintrq, m, NULL)) { 390 IPSEC_ISTAT(sproto, espstat.esps_qfull, ahstat.ahs_qfull, 391 ipcompstat.ipcomps_qfull); 392 393 DPRINTF(("ipsec4_common_input_cb: queue full; " 394 "proto %u packet dropped\n", sproto)); 395 return ENOBUFS; 396 } 397 schednetisr(NETISR_IP); 398 return 0; 399 bad: 400 m_freem(m); 401 return error; 402 } 403 #endif /* INET */ 404 405 #ifdef INET6 406 /* IPv6 AH wrapper. */ 407 int 408 ipsec6_common_input(struct mbuf **mp, int *offp, int proto) 409 { 410 int l = 0; 411 int protoff; 412 struct ip6_ext ip6e; 413 414 if (*offp < sizeof(struct ip6_hdr)) { 415 DPRINTF(("ipsec6_common_input: bad offset %u\n", *offp)); 416 return IPPROTO_DONE; 417 } else if (*offp == sizeof(struct ip6_hdr)) { 418 protoff = offsetof(struct ip6_hdr, ip6_nxt); 419 } else { 420 /* Chase down the header chain... */ 421 protoff = sizeof(struct ip6_hdr); 422 423 do { 424 protoff += l; 425 m_copydata(*mp, protoff, sizeof(ip6e), 426 (caddr_t) &ip6e); 427 428 if (ip6e.ip6e_nxt == IPPROTO_AH) 429 l = (ip6e.ip6e_len + 2) << 2; 430 else 431 l = (ip6e.ip6e_len + 1) << 3; 432 IPSEC_ASSERT(l > 0, ("ah6_input: l went zero or negative")); 433 } while (protoff + l < *offp); 434 435 /* Malformed packet check */ 436 if (protoff + l != *offp) { 437 DPRINTF(("ipsec6_common_input: bad packet header chain, " 438 "protoff %u, l %u, off %u\n", protoff, l, *offp)); 439 IPSEC_ISTAT(proto, espstat.esps_hdrops, 440 ahstat.ahs_hdrops, 441 ipcompstat.ipcomps_hdrops); 442 m_freem(*mp); 443 *mp = NULL; 444 return IPPROTO_DONE; 445 } 446 protoff += offsetof(struct ip6_ext, ip6e_nxt); 447 } 448 (void) ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto); 449 return IPPROTO_DONE; 450 } 451 452 void 453 esp6_ctlinput(int cmd, struct sockaddr *sa, void *d) 454 { 455 if (sa->sa_family != AF_INET6 || 456 sa->sa_len != sizeof(struct sockaddr_in6)) 457 return; 458 if ((unsigned)cmd >= PRC_NCMDS) 459 return; 460 461 /* if the parameter is from icmp6, decode it. */ 462 if (d != NULL) { 463 struct ip6ctlparam *ip6cp = (struct ip6ctlparam *)d; 464 struct mbuf *m = ip6cp->ip6c_m; 465 int off = ip6cp->ip6c_off; 466 467 struct ip6ctlparam ip6cp1; 468 469 /* 470 * Notify the error to all possible sockets via pfctlinput2. 471 * Since the upper layer information (such as protocol type, 472 * source and destination ports) is embedded in the encrypted 473 * data and might have been cut, we can't directly call 474 * an upper layer ctlinput function. However, the pcbnotify 475 * function will consider source and destination addresses 476 * as well as the flow info value, and may be able to find 477 * some PCB that should be notified. 478 * Although pfctlinput2 will call esp6_ctlinput(), there is 479 * no possibility of an infinite loop of function calls, 480 * because we don't pass the inner IPv6 header. 481 */ 482 bzero(&ip6cp1, sizeof(ip6cp1)); 483 ip6cp1.ip6c_src = ip6cp->ip6c_src; 484 pfctlinput2(cmd, sa, (void *)&ip6cp1); 485 486 /* 487 * Then go to special cases that need ESP header information. 488 * XXX: We assume that when ip6 is non NULL, 489 * M and OFF are valid. 490 */ 491 492 if (cmd == PRC_MSGSIZE) { 493 struct secasvar *sav; 494 u_int32_t spi; 495 int valid; 496 497 /* check header length before using m_copydata */ 498 if (m->m_pkthdr.len < off + sizeof (struct esp)) 499 return; 500 m_copydata(m, off + offsetof(struct esp, esp_spi), 501 sizeof(u_int32_t), (caddr_t) &spi); 502 /* 503 * Check to see if we have a valid SA corresponding to 504 * the address in the ICMP message payload. 505 */ 506 sav = KEY_ALLOCSA((union sockaddr_union *)sa, 507 IPPROTO_ESP, spi); 508 valid = (sav != NULL); 509 if (sav) 510 KEY_FREESAV(&sav); 511 512 /* XXX Further validation? */ 513 514 /* 515 * Depending on whether the SA is "valid" and 516 * routing table size (mtudisc_{hi,lo}wat), we will: 517 * - recalcurate the new MTU and create the 518 * corresponding routing entry, or 519 * - ignore the MTU change notification. 520 */ 521 icmp6_mtudisc_update(ip6cp, valid); 522 } 523 } else { 524 /* we normally notify any pcb here */ 525 } 526 } 527 528 extern struct ip6protosw inet6sw[]; 529 extern u_char ip6_protox[]; 530 531 /* 532 * IPsec input callback, called by the transform callback. Takes care of 533 * filtering and other sanity checks on the processed packet. 534 */ 535 int 536 ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff, 537 struct m_tag *mt) 538 { 539 int prot, af, sproto; 540 struct ip6_hdr *ip6; 541 struct m_tag *mtag; 542 struct tdb_ident *tdbi; 543 struct secasindex *saidx; 544 int nxt; 545 u_int8_t nxt8; 546 int error, nest; 547 548 IPSEC_ASSERT(m != NULL, ("ipsec6_common_input_cb: null mbuf")); 549 IPSEC_ASSERT(sav != NULL, ("ipsec6_common_input_cb: null SA")); 550 IPSEC_ASSERT(sav->sah != NULL, ("ipsec6_common_input_cb: null SAH")); 551 saidx = &sav->sah->saidx; 552 af = saidx->dst.sa.sa_family; 553 IPSEC_ASSERT(af == AF_INET6, 554 ("ipsec6_common_input_cb: unexpected af %u", af)); 555 sproto = saidx->proto; 556 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 557 sproto == IPPROTO_IPCOMP, 558 ("ipsec6_common_input_cb: unexpected security protocol %u", 559 sproto)); 560 561 /* Sanity check */ 562 if (m == NULL) { 563 DPRINTF(("ipsec4_common_input_cb: null mbuf")); 564 IPSEC_ISTAT(sproto, espstat.esps_badkcr, ahstat.ahs_badkcr, 565 ipcompstat.ipcomps_badkcr); 566 error = EINVAL; 567 goto bad; 568 } 569 570 /* Fix IPv6 header */ 571 if (m->m_len < sizeof(struct ip6_hdr) && 572 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 573 574 DPRINTF(("ipsec_common_input_cb: processing failed " 575 "for SA %s/%08lx\n", ipsec_address(&sav->sah->saidx.dst), 576 (u_long) ntohl(sav->spi))); 577 578 IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops, 579 ipcompstat.ipcomps_hdrops); 580 error = EACCES; 581 goto bad; 582 } 583 584 ip6 = mtod(m, struct ip6_hdr *); 585 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr)); 586 587 /* Save protocol */ 588 m_copydata(m, protoff, 1, (unsigned char *) &prot); 589 590 #ifdef INET 591 /* IP-in-IP encapsulation */ 592 if (prot == IPPROTO_IPIP) { 593 struct ip ipn; 594 595 /* ipn will now contain the inner IPv4 header */ 596 m_copydata(m, skip, sizeof(struct ip), (caddr_t) &ipn); 597 598 #ifdef notyet 599 /* 600 * Check that the inner source address is the same as 601 * the proxy address, if available. 602 */ 603 if ((saidx->proxy.sa.sa_family == AF_INET && 604 saidx->proxy.sin.sin_addr.s_addr != INADDR_ANY && 605 ipn.ip_src.s_addr != saidx->proxy.sin.sin_addr.s_addr) || 606 (saidx->proxy.sa.sa_family != AF_INET && 607 saidx->proxy.sa.sa_family != 0)) { 608 609 DPRINTF(("ipsec_common_input_cb: inner " 610 "source address %s doesn't correspond to " 611 "expected proxy source %s, SA %s/%08lx\n", 612 inet_ntoa4(ipn.ip_src), 613 ipsec_address(&saidx->proxy), 614 ipsec_address(&saidx->dst), 615 (u_long) ntohl(sav->spi))); 616 617 IPSEC_ISTATsproto, (espstat.esps_pdrops, 618 ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops); 619 error = EACCES; 620 goto bad; 621 } 622 #endif /*XXX*/ 623 } 624 #endif /* INET */ 625 626 /* IPv6-in-IP encapsulation */ 627 if (prot == IPPROTO_IPV6) { 628 struct ip6_hdr ip6n; 629 630 /* ip6n will now contain the inner IPv6 header. */ 631 m_copydata(m, skip, sizeof(struct ip6_hdr), 632 (caddr_t) &ip6n); 633 634 #ifdef notyet 635 /* 636 * Check that the inner source address is the same as 637 * the proxy address, if available. 638 */ 639 if ((saidx->proxy.sa.sa_family == AF_INET6 && 640 !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) && 641 !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src, 642 &saidx->proxy.sin6.sin6_addr)) || 643 (saidx->proxy.sa.sa_family != AF_INET6 && 644 saidx->proxy.sa.sa_family != 0)) { 645 646 DPRINTF(("ipsec_common_input_cb: inner " 647 "source address %s doesn't correspond to " 648 "expected proxy source %s, SA %s/%08lx\n", 649 ip6_sprintf(&ip6n.ip6_src), 650 ipsec_address(&saidx->proxy), 651 ipsec_address(&saidx->dst), 652 (u_long) ntohl(sav->spi))); 653 654 IPSEC_ISTAT(sproto, espstat.esps_pdrops, 655 ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops); 656 error = EACCES; 657 goto bad; 658 } 659 #endif /*XXX*/ 660 } 661 662 /* 663 * Record what we've done to the packet (under what SA it was 664 * processed). If we've been passed an mtag, it means the packet 665 * was already processed by an ethernet/crypto combo card and 666 * thus has a tag attached with all the right information, but 667 * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to 668 * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type. 669 */ 670 if (mt == NULL && sproto != IPPROTO_IPCOMP) { 671 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 672 sizeof(struct tdb_ident), M_NOWAIT); 673 if (mtag == NULL) { 674 DPRINTF(("ipsec_common_input_cb: failed to " 675 "get tag\n")); 676 IPSEC_ISTAT(sproto, espstat.esps_hdrops, 677 ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); 678 error = ENOMEM; 679 goto bad; 680 } 681 682 tdbi = (struct tdb_ident *)(mtag + 1); 683 bcopy(&saidx->dst, &tdbi->dst, sizeof(union sockaddr_union)); 684 tdbi->proto = sproto; 685 tdbi->spi = sav->spi; 686 687 m_tag_prepend(m, mtag); 688 } else { 689 mt->m_tag_id = PACKET_TAG_IPSEC_IN_DONE; 690 /* XXX do we need to mark m_flags??? */ 691 } 692 693 key_sa_recordxfer(sav, m); 694 695 /* Retrieve new protocol */ 696 m_copydata(m, protoff, sizeof(u_int8_t), (caddr_t) &nxt8); 697 698 /* 699 * See the end of ip6_input for this logic. 700 * IPPROTO_IPV[46] case will be processed just like other ones 701 */ 702 nest = 0; 703 nxt = nxt8; 704 while (nxt != IPPROTO_DONE) { 705 if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) { 706 ip6stat.ip6s_toomanyhdr++; 707 error = EINVAL; 708 goto bad; 709 } 710 711 /* 712 * Protection against faulty packet - there should be 713 * more sanity checks in header chain processing. 714 */ 715 if (m->m_pkthdr.len < skip) { 716 ip6stat.ip6s_tooshort++; 717 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 718 error = EINVAL; 719 goto bad; 720 } 721 /* 722 * Enforce IPsec policy checking if we are seeing last header. 723 * note that we do not visit this with protocols with pcb layer 724 * code - like udp/tcp/raw ip. 725 */ 726 if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && 727 ipsec6_in_reject(m, NULL)) { 728 error = EINVAL; 729 goto bad; 730 } 731 nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &skip, nxt); 732 } 733 return 0; 734 bad: 735 if (m) 736 m_freem(m); 737 return error; 738 } 739 #endif /* INET6 */ 740