1 /* $OpenBSD: ipsec_input.c,v 1.176 2021/07/21 12:23:32 bluhm Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 8 * in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001, Angelos D. Keromytis. 21 * 22 * Permission to use, copy, and modify this software with or without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38 #include "pf.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/protosw.h> 43 #include <sys/mbuf.h> 44 #include <sys/socket.h> 45 #include <sys/sysctl.h> 46 #include <sys/kernel.h> 47 #include <sys/timeout.h> 48 49 #include <net/if.h> 50 #include <net/if_var.h> 51 #include <net/netisr.h> 52 #include <net/bpf.h> 53 #include <net/route.h> 54 55 #include <netinet/in.h> 56 #include <netinet/ip.h> 57 #include <netinet/ip_var.h> 58 #include <netinet/ip_icmp.h> 59 #include <netinet/tcp.h> 60 #include <netinet/udp.h> 61 62 #if NPF > 0 63 #include <net/pfvar.h> 64 #endif 65 66 #ifdef INET6 67 #include <netinet6/in6_var.h> 68 #include <netinet/ip6.h> 69 #include <netinet6/ip6_var.h> 70 #include <netinet6/ip6protosw.h> 71 #endif /* INET6 */ 72 73 #include <netinet/ip_ipsp.h> 74 #include <netinet/ip_esp.h> 75 #include <netinet/ip_ah.h> 76 #include <netinet/ip_ipcomp.h> 77 78 #include <net/if_enc.h> 79 80 #include <crypto/cryptodev.h> 81 #include <crypto/xform.h> 82 83 #include "bpfilter.h" 84 85 void ipsec_common_ctlinput(u_int, int, struct sockaddr *, void *, int); 86 87 #ifdef ENCDEBUG 88 #define DPRINTF(fmt, args...) \ 89 do { \ 90 if (encdebug) \ 91 printf("%s: " fmt "\n", __func__, ## args); \ 92 } while (0) 93 #else 94 #define DPRINTF(fmt, args...) \ 95 do { } while (0) 96 #endif 97 98 /* sysctl variables */ 99 int encdebug = 0; 100 int ipsec_keep_invalid = IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT; 101 int ipsec_require_pfs = IPSEC_DEFAULT_PFS; 102 int ipsec_soft_allocations = IPSEC_DEFAULT_SOFT_ALLOCATIONS; 103 int ipsec_exp_allocations = IPSEC_DEFAULT_EXP_ALLOCATIONS; 104 int ipsec_soft_bytes = IPSEC_DEFAULT_SOFT_BYTES; 105 int ipsec_exp_bytes = IPSEC_DEFAULT_EXP_BYTES; 106 int ipsec_soft_timeout = IPSEC_DEFAULT_SOFT_TIMEOUT; 107 int ipsec_exp_timeout = IPSEC_DEFAULT_EXP_TIMEOUT; 108 int ipsec_soft_first_use = IPSEC_DEFAULT_SOFT_FIRST_USE; 109 int ipsec_exp_first_use = IPSEC_DEFAULT_EXP_FIRST_USE; 110 int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE; 111 112 int esp_enable = 1; 113 int ah_enable = 1; 114 int ipcomp_enable = 0; 115 116 const struct sysctl_bounded_args espctl_vars[] = { 117 {ESPCTL_ENABLE, &esp_enable, 0, 1}, 118 {ESPCTL_UDPENCAP_ENABLE, &udpencap_enable, 0, 1}, 119 {ESPCTL_UDPENCAP_PORT, &udpencap_port, 0, 65535}, 120 }; 121 const struct sysctl_bounded_args ahctl_vars[] = { 122 {AHCTL_ENABLE, &ah_enable, 0, 1}, 123 }; 124 const struct sysctl_bounded_args ipcompctl_vars[] = { 125 {IPCOMPCTL_ENABLE, &ipcomp_enable, 0, 1}, 126 }; 127 128 struct cpumem *espcounters; 129 struct cpumem *ahcounters; 130 struct cpumem *ipcompcounters; 131 struct cpumem *ipseccounters; 132 133 char ipsec_def_enc[20]; 134 char ipsec_def_auth[20]; 135 char ipsec_def_comp[20]; 136 137 const struct sysctl_bounded_args ipsecctl_vars[] = { 138 { IPSEC_ENCDEBUG, &encdebug, 0, 1 }, 139 { IPSEC_EXPIRE_ACQUIRE, &ipsec_expire_acquire, 0, INT_MAX }, 140 { IPSEC_EMBRYONIC_SA_TIMEOUT, &ipsec_keep_invalid, 0, INT_MAX }, 141 { IPSEC_REQUIRE_PFS, &ipsec_require_pfs, 0, 1 }, 142 { IPSEC_SOFT_ALLOCATIONS, &ipsec_soft_allocations, 0, INT_MAX }, 143 { IPSEC_ALLOCATIONS, &ipsec_exp_allocations, 0, INT_MAX }, 144 { IPSEC_SOFT_BYTES, &ipsec_soft_bytes, 0, INT_MAX }, 145 { IPSEC_BYTES, &ipsec_exp_bytes, 0, INT_MAX }, 146 { IPSEC_TIMEOUT, &ipsec_exp_timeout, 0, INT_MAX }, 147 { IPSEC_SOFT_TIMEOUT, &ipsec_soft_timeout,0, INT_MAX }, 148 { IPSEC_SOFT_FIRSTUSE, &ipsec_soft_first_use, 0, INT_MAX }, 149 { IPSEC_FIRSTUSE, &ipsec_exp_first_use, 0, INT_MAX }, 150 }; 151 152 int esp_sysctl_espstat(void *, size_t *, void *); 153 int ah_sysctl_ahstat(void *, size_t *, void *); 154 int ipcomp_sysctl_ipcompstat(void *, size_t *, void *); 155 int ipsec_sysctl_ipsecstat(void *, size_t *, void *); 156 157 void 158 ipsec_init(void) 159 { 160 espcounters = counters_alloc(esps_ncounters); 161 ahcounters = counters_alloc(ahs_ncounters); 162 ipcompcounters = counters_alloc(ipcomps_ncounters); 163 ipseccounters = counters_alloc(ipsec_ncounters); 164 165 strlcpy(ipsec_def_enc, IPSEC_DEFAULT_DEF_ENC, sizeof(ipsec_def_enc)); 166 strlcpy(ipsec_def_auth, IPSEC_DEFAULT_DEF_AUTH, sizeof(ipsec_def_auth)); 167 strlcpy(ipsec_def_comp, IPSEC_DEFAULT_DEF_COMP, sizeof(ipsec_def_comp)); 168 169 } 170 171 /* 172 * ipsec_common_input() gets called when we receive an IPsec-protected packet 173 * in IPv4 or IPv6. All it does is find the right TDB and call the appropriate 174 * transform. The callback takes care of further processing (like ingress 175 * filtering). 176 */ 177 int 178 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, 179 int udpencap) 180 { 181 #define IPSEC_ISTAT(x,y,z) do { \ 182 if (sproto == IPPROTO_ESP) \ 183 espstat_inc(x); \ 184 else if (sproto == IPPROTO_AH) \ 185 ahstat_inc(y); \ 186 else \ 187 ipcompstat_inc(z); \ 188 } while (0) 189 190 union sockaddr_union dst_address; 191 struct tdb *tdbp = NULL; 192 struct ifnet *encif; 193 u_int32_t spi; 194 u_int16_t cpi; 195 int error; 196 #ifdef ENCDEBUG 197 char buf[INET6_ADDRSTRLEN]; 198 #endif 199 200 NET_ASSERT_LOCKED(); 201 202 ipsecstat_inc(ipsec_ipackets); 203 ipsecstat_add(ipsec_ibytes, m->m_pkthdr.len); 204 IPSEC_ISTAT(esps_input, ahs_input, ipcomps_input); 205 206 if (m == NULL) { 207 DPRINTF("NULL packet received"); 208 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 209 return EINVAL; 210 } 211 212 if ((sproto == IPPROTO_IPCOMP) && (m->m_flags & M_COMP)) { 213 DPRINTF("repeated decompression"); 214 ipcompstat_inc(ipcomps_pdrops); 215 error = EINVAL; 216 goto drop; 217 } 218 219 if (m->m_pkthdr.len - skip < 2 * sizeof(u_int32_t)) { 220 DPRINTF("packet too small"); 221 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 222 error = EINVAL; 223 goto drop; 224 } 225 226 /* Retrieve the SPI from the relevant IPsec header */ 227 switch (sproto) { 228 case IPPROTO_ESP: 229 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi); 230 break; 231 case IPPROTO_AH: 232 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 233 (caddr_t) &spi); 234 break; 235 case IPPROTO_IPCOMP: 236 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t), 237 (caddr_t) &cpi); 238 spi = ntohl(htons(cpi)); 239 break; 240 default: 241 panic("%s: unknown/unsupported security protocol %d", 242 __func__, sproto); 243 } 244 245 /* 246 * Find tunnel control block and (indirectly) call the appropriate 247 * kernel crypto routine. The resulting mbuf chain is a valid 248 * IP packet ready to go through input processing. 249 */ 250 251 memset(&dst_address, 0, sizeof(dst_address)); 252 dst_address.sa.sa_family = af; 253 254 switch (af) { 255 case AF_INET: 256 dst_address.sin.sin_len = sizeof(struct sockaddr_in); 257 m_copydata(m, offsetof(struct ip, ip_dst), 258 sizeof(struct in_addr), 259 (caddr_t) &(dst_address.sin.sin_addr)); 260 break; 261 262 #ifdef INET6 263 case AF_INET6: 264 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6); 265 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 266 sizeof(struct in6_addr), 267 (caddr_t) &(dst_address.sin6.sin6_addr)); 268 in6_recoverscope(&dst_address.sin6, 269 &dst_address.sin6.sin6_addr); 270 break; 271 #endif /* INET6 */ 272 273 default: 274 DPRINTF("unsupported protocol family %d", af); 275 IPSEC_ISTAT(esps_nopf, ahs_nopf, ipcomps_nopf); 276 error = EPFNOSUPPORT; 277 goto drop; 278 } 279 280 tdbp = gettdb(rtable_l2(m->m_pkthdr.ph_rtableid), 281 spi, &dst_address, sproto); 282 if (tdbp == NULL) { 283 DPRINTF("could not find SA for packet to %s, spi %08x", 284 ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi)); 285 IPSEC_ISTAT(esps_notdb, ahs_notdb, ipcomps_notdb); 286 error = ENOENT; 287 goto drop; 288 } 289 290 if (tdbp->tdb_flags & TDBF_INVALID) { 291 DPRINTF("attempted to use invalid SA %s/%08x/%u", 292 ipsp_address(&dst_address, buf, sizeof(buf)), 293 ntohl(spi), tdbp->tdb_sproto); 294 IPSEC_ISTAT(esps_invalid, ahs_invalid, ipcomps_invalid); 295 error = EINVAL; 296 goto drop; 297 } 298 299 if (udpencap && !(tdbp->tdb_flags & TDBF_UDPENCAP)) { 300 DPRINTF("attempted to use non-udpencap SA %s/%08x/%u", 301 ipsp_address(&dst_address, buf, sizeof(buf)), 302 ntohl(spi), tdbp->tdb_sproto); 303 espstat_inc(esps_udpinval); 304 error = EINVAL; 305 goto drop; 306 } 307 308 if (!udpencap && (tdbp->tdb_flags & TDBF_UDPENCAP)) { 309 DPRINTF("attempted to use udpencap SA %s/%08x/%u", 310 ipsp_address(&dst_address, buf, sizeof(buf)), 311 ntohl(spi), tdbp->tdb_sproto); 312 espstat_inc(esps_udpneeded); 313 error = EINVAL; 314 goto drop; 315 } 316 317 if (tdbp->tdb_xform == NULL) { 318 DPRINTF("attempted to use uninitialized SA %s/%08x/%u", 319 ipsp_address(&dst_address, buf, sizeof(buf)), 320 ntohl(spi), tdbp->tdb_sproto); 321 IPSEC_ISTAT(esps_noxform, ahs_noxform, ipcomps_noxform); 322 error = ENXIO; 323 goto drop; 324 } 325 326 if (sproto != IPPROTO_IPCOMP) { 327 if ((encif = enc_getif(tdbp->tdb_rdomain_post, 328 tdbp->tdb_tap)) == NULL) { 329 DPRINTF("no enc%u interface for SA %s/%08x/%u", 330 tdbp->tdb_tap, 331 ipsp_address(&dst_address, buf, sizeof(buf)), 332 ntohl(spi), tdbp->tdb_sproto); 333 IPSEC_ISTAT(esps_pdrops, ahs_pdrops, ipcomps_pdrops); 334 error = EACCES; 335 goto drop; 336 } 337 338 /* XXX This conflicts with the scoped nature of IPv6 */ 339 m->m_pkthdr.ph_ifidx = encif->if_index; 340 } 341 342 /* Register first use, setup expiration timer. */ 343 if (tdbp->tdb_first_use == 0) { 344 tdbp->tdb_first_use = gettime(); 345 if (tdbp->tdb_flags & TDBF_FIRSTUSE) 346 timeout_add_sec(&tdbp->tdb_first_tmo, 347 tdbp->tdb_exp_first_use); 348 if (tdbp->tdb_flags & TDBF_SOFT_FIRSTUSE) 349 timeout_add_sec(&tdbp->tdb_sfirst_tmo, 350 tdbp->tdb_soft_first_use); 351 } 352 353 tdbp->tdb_ipackets++; 354 tdbp->tdb_ibytes += m->m_pkthdr.len; 355 356 /* 357 * Call appropriate transform and return -- callback takes care of 358 * everything else. 359 */ 360 error = (*(tdbp->tdb_xform->xf_input))(m, tdbp, skip, protoff); 361 if (error) { 362 ipsecstat_inc(ipsec_idrops); 363 tdbp->tdb_idrops++; 364 } 365 return error; 366 367 drop: 368 ipsecstat_inc(ipsec_idrops); 369 if (tdbp != NULL) 370 tdbp->tdb_idrops++; 371 m_freem(m); 372 return error; 373 } 374 375 void 376 ipsec_input_cb(struct cryptop *crp) 377 { 378 struct tdb_crypto *tc = (struct tdb_crypto *) crp->crp_opaque; 379 struct mbuf *m = (struct mbuf *) crp->crp_buf; 380 struct tdb *tdb = NULL; 381 int clen, error; 382 383 KERNEL_ASSERT_LOCKED(); 384 385 if (m == NULL) { 386 DPRINTF("bogus returned buffer from crypto"); 387 ipsecstat_inc(ipsec_crypto); 388 goto droponly; 389 } 390 391 392 NET_LOCK(); 393 tdb = gettdb(tc->tc_rdomain, tc->tc_spi, &tc->tc_dst, tc->tc_proto); 394 if (tdb == NULL) { 395 DPRINTF("TDB is expired while in crypto"); 396 ipsecstat_inc(ipsec_notdb); 397 goto baddone; 398 } 399 400 /* Check for crypto errors */ 401 if (crp->crp_etype) { 402 if (crp->crp_etype == EAGAIN) { 403 /* Reset the session ID */ 404 if (tdb->tdb_cryptoid != 0) 405 tdb->tdb_cryptoid = crp->crp_sid; 406 NET_UNLOCK(); 407 error = crypto_dispatch(crp); 408 if (error) { 409 DPRINTF("crypto dispatch error %d", error); 410 ipsecstat_inc(ipsec_idrops); 411 tdb->tdb_idrops++; 412 } 413 return; 414 } 415 DPRINTF("crypto error %d", crp->crp_etype); 416 ipsecstat_inc(ipsec_noxform); 417 goto baddone; 418 } 419 420 /* Length of data after processing */ 421 clen = crp->crp_olen; 422 423 /* Release the crypto descriptors */ 424 crypto_freereq(crp); 425 426 switch (tdb->tdb_sproto) { 427 case IPPROTO_ESP: 428 error = esp_input_cb(tdb, tc, m, clen); 429 break; 430 case IPPROTO_AH: 431 error = ah_input_cb(tdb, tc, m, clen); 432 break; 433 case IPPROTO_IPCOMP: 434 error = ipcomp_input_cb(tdb, tc, m, clen); 435 break; 436 default: 437 panic("%s: unknown/unsupported security protocol %d", 438 __func__, tdb->tdb_sproto); 439 } 440 441 NET_UNLOCK(); 442 if (error) { 443 ipsecstat_inc(ipsec_idrops); 444 tdb->tdb_idrops++; 445 } 446 return; 447 448 baddone: 449 NET_UNLOCK(); 450 droponly: 451 ipsecstat_inc(ipsec_idrops); 452 if (tdb != NULL) 453 tdb->tdb_idrops++; 454 free(tc, M_XDATA, 0); 455 m_freem(m); 456 crypto_freereq(crp); 457 } 458 459 /* 460 * IPsec input callback, called by the transform callback. Takes care of 461 * filtering and other sanity checks on the processed packet. 462 */ 463 int 464 ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff) 465 { 466 int af, sproto; 467 u_int8_t prot; 468 469 #if NBPFILTER > 0 470 struct ifnet *encif; 471 #endif 472 473 struct ip *ip, ipn; 474 475 #ifdef INET6 476 struct ip6_hdr *ip6, ip6n; 477 #endif /* INET6 */ 478 struct m_tag *mtag; 479 struct tdb_ident *tdbi; 480 481 #ifdef ENCDEBUG 482 char buf[INET6_ADDRSTRLEN]; 483 #endif 484 485 af = tdbp->tdb_dst.sa.sa_family; 486 sproto = tdbp->tdb_sproto; 487 488 tdbp->tdb_last_used = gettime(); 489 490 /* Sanity check */ 491 if (m == NULL) { 492 /* The called routine will print a message if necessary */ 493 IPSEC_ISTAT(esps_badkcr, ahs_badkcr, ipcomps_badkcr); 494 return -1; 495 } 496 497 /* Fix IPv4 header */ 498 if (af == AF_INET) { 499 if ((m->m_len < skip) && ((m = m_pullup(m, skip)) == NULL)) { 500 DPRINTF("processing failed for SA %s/%08x", 501 ipsp_address(&tdbp->tdb_dst, buf, sizeof(buf)), 502 ntohl(tdbp->tdb_spi)); 503 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 504 return -1; 505 } 506 507 ip = mtod(m, struct ip *); 508 ip->ip_len = htons(m->m_pkthdr.len); 509 ip->ip_sum = 0; 510 ip->ip_sum = in_cksum(m, ip->ip_hl << 2); 511 prot = ip->ip_p; 512 513 /* IP-in-IP encapsulation */ 514 if (prot == IPPROTO_IPIP) { 515 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { 516 m_freem(m); 517 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 518 ipcomps_hdrops); 519 return -1; 520 } 521 /* ipn will now contain the inner IPv4 header */ 522 m_copydata(m, skip, sizeof(struct ip), 523 (caddr_t) &ipn); 524 } 525 526 #ifdef INET6 527 /* IPv6-in-IP encapsulation. */ 528 if (prot == IPPROTO_IPV6) { 529 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { 530 m_freem(m); 531 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 532 ipcomps_hdrops); 533 return -1; 534 } 535 /* ip6n will now contain the inner IPv6 header. */ 536 m_copydata(m, skip, sizeof(struct ip6_hdr), 537 (caddr_t) &ip6n); 538 } 539 #endif /* INET6 */ 540 } 541 542 #ifdef INET6 543 /* Fix IPv6 header */ 544 if (af == AF_INET6) 545 { 546 if (m->m_len < sizeof(struct ip6_hdr) && 547 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 548 549 DPRINTF("processing failed for SA %s/%08x", 550 ipsp_address(&tdbp->tdb_dst, buf, sizeof(buf)), 551 ntohl(tdbp->tdb_spi)); 552 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 553 return -1; 554 } 555 556 ip6 = mtod(m, struct ip6_hdr *); 557 ip6->ip6_plen = htons(m->m_pkthdr.len - skip); 558 559 /* Save protocol */ 560 m_copydata(m, protoff, 1, (caddr_t) &prot); 561 562 /* IP-in-IP encapsulation */ 563 if (prot == IPPROTO_IPIP) { 564 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { 565 m_freem(m); 566 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 567 ipcomps_hdrops); 568 return -1; 569 } 570 /* ipn will now contain the inner IPv4 header */ 571 m_copydata(m, skip, sizeof(struct ip), (caddr_t) &ipn); 572 } 573 574 /* IPv6-in-IP encapsulation */ 575 if (prot == IPPROTO_IPV6) { 576 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { 577 m_freem(m); 578 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 579 ipcomps_hdrops); 580 return -1; 581 } 582 /* ip6n will now contain the inner IPv6 header. */ 583 m_copydata(m, skip, sizeof(struct ip6_hdr), 584 (caddr_t) &ip6n); 585 } 586 } 587 #endif /* INET6 */ 588 589 /* 590 * Fix TCP/UDP checksum of UDP encapsulated transport mode ESP packet. 591 * (RFC3948 3.1.2) 592 */ 593 if ((af == AF_INET || af == AF_INET6) && 594 (tdbp->tdb_flags & TDBF_UDPENCAP) && 595 (tdbp->tdb_flags & TDBF_TUNNELING) == 0) { 596 u_int16_t cksum; 597 598 switch (prot) { 599 case IPPROTO_UDP: 600 if (m->m_pkthdr.len < skip + sizeof(struct udphdr)) { 601 m_freem(m); 602 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 603 ipcomps_hdrops); 604 return -1; 605 } 606 cksum = 0; 607 m_copyback(m, skip + offsetof(struct udphdr, uh_sum), 608 sizeof(cksum), &cksum, M_NOWAIT); 609 #ifdef INET6 610 if (af == AF_INET6) { 611 cksum = in6_cksum(m, IPPROTO_UDP, skip, 612 m->m_pkthdr.len - skip); 613 m_copyback(m, skip + offsetof(struct udphdr, 614 uh_sum), sizeof(cksum), &cksum, M_NOWAIT); 615 } 616 #endif 617 break; 618 case IPPROTO_TCP: 619 if (m->m_pkthdr.len < skip + sizeof(struct tcphdr)) { 620 m_freem(m); 621 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 622 ipcomps_hdrops); 623 return -1; 624 } 625 cksum = 0; 626 m_copyback(m, skip + offsetof(struct tcphdr, th_sum), 627 sizeof(cksum), &cksum, M_NOWAIT); 628 if (af == AF_INET) 629 cksum = in4_cksum(m, IPPROTO_TCP, skip, 630 m->m_pkthdr.len - skip); 631 #ifdef INET6 632 else if (af == AF_INET6) 633 cksum = in6_cksum(m, IPPROTO_TCP, skip, 634 m->m_pkthdr.len - skip); 635 #endif 636 m_copyback(m, skip + offsetof(struct tcphdr, th_sum), 637 sizeof(cksum), &cksum, M_NOWAIT); 638 break; 639 } 640 } 641 642 /* 643 * Record what we've done to the packet (under what SA it was 644 * processed). 645 */ 646 if (tdbp->tdb_sproto != IPPROTO_IPCOMP) { 647 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 648 sizeof(struct tdb_ident), M_NOWAIT); 649 if (mtag == NULL) { 650 m_freem(m); 651 DPRINTF("failed to get tag"); 652 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 653 return -1; 654 } 655 656 tdbi = (struct tdb_ident *)(mtag + 1); 657 tdbi->dst = tdbp->tdb_dst; 658 tdbi->proto = tdbp->tdb_sproto; 659 tdbi->spi = tdbp->tdb_spi; 660 tdbi->rdomain = tdbp->tdb_rdomain; 661 662 m_tag_prepend(m, mtag); 663 } 664 665 switch (sproto) { 666 case IPPROTO_ESP: 667 /* Packet is confidential ? */ 668 if (tdbp->tdb_encalgxform) 669 m->m_flags |= M_CONF; 670 671 /* Check if we had authenticated ESP. */ 672 if (tdbp->tdb_authalgxform) 673 m->m_flags |= M_AUTH; 674 break; 675 case IPPROTO_AH: 676 m->m_flags |= M_AUTH; 677 break; 678 case IPPROTO_IPCOMP: 679 m->m_flags |= M_COMP; 680 break; 681 default: 682 panic("%s: unknown/unsupported security protocol %d", 683 __func__, sproto); 684 } 685 686 #if NPF > 0 687 /* Add pf tag if requested. */ 688 pf_tag_packet(m, tdbp->tdb_tag, -1); 689 pf_pkt_addr_changed(m); 690 #endif 691 if (tdbp->tdb_rdomain != tdbp->tdb_rdomain_post) 692 m->m_pkthdr.ph_rtableid = tdbp->tdb_rdomain_post; 693 694 if (tdbp->tdb_flags & TDBF_TUNNELING) 695 m->m_flags |= M_TUNNEL; 696 697 ipsecstat_add(ipsec_idecompbytes, m->m_pkthdr.len); 698 tdbp->tdb_idecompbytes += m->m_pkthdr.len; 699 700 #if NBPFILTER > 0 701 if ((encif = enc_getif(tdbp->tdb_rdomain_post, tdbp->tdb_tap)) != NULL) { 702 encif->if_ipackets++; 703 encif->if_ibytes += m->m_pkthdr.len; 704 705 if (encif->if_bpf) { 706 struct enchdr hdr; 707 708 hdr.af = af; 709 hdr.spi = tdbp->tdb_spi; 710 hdr.flags = m->m_flags & (M_AUTH|M_CONF); 711 712 bpf_mtap_hdr(encif->if_bpf, (char *)&hdr, 713 ENC_HDRLEN, m, BPF_DIRECTION_IN); 714 } 715 } 716 #endif 717 718 #if NPF > 0 719 /* 720 * The ip_deliver() shortcut avoids running through ip_input() with the 721 * same IP header twice. Packets in transport mode have to be be 722 * passed to pf explicitly. In tunnel mode the inner IP header will 723 * run through ip_input() and pf anyway. 724 */ 725 if ((tdbp->tdb_flags & TDBF_TUNNELING) == 0) { 726 struct ifnet *ifp; 727 728 /* This is the enc0 interface unless for ipcomp. */ 729 if ((ifp = if_get(m->m_pkthdr.ph_ifidx)) == NULL) { 730 m_freem(m); 731 return -1; 732 } 733 if (pf_test(af, PF_IN, ifp, &m) != PF_PASS) { 734 if_put(ifp); 735 m_freem(m); 736 return -1; 737 } 738 if_put(ifp); 739 if (m == NULL) 740 return -1; 741 } 742 #endif 743 /* Call the appropriate IPsec transform callback. */ 744 ip_deliver(&m, &skip, prot, af); 745 return 0; 746 #undef IPSEC_ISTAT 747 } 748 749 int 750 ipsec_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 751 size_t newlen) 752 { 753 int error; 754 755 switch (name[0]) { 756 case IPCTL_IPSEC_ENC_ALGORITHM: 757 NET_LOCK(); 758 error = sysctl_tstring(oldp, oldlenp, newp, newlen, 759 ipsec_def_enc, sizeof(ipsec_def_enc)); 760 NET_UNLOCK(); 761 return (error); 762 case IPCTL_IPSEC_AUTH_ALGORITHM: 763 NET_LOCK(); 764 error = sysctl_tstring(oldp, oldlenp, newp, newlen, 765 ipsec_def_auth, sizeof(ipsec_def_auth)); 766 NET_UNLOCK(); 767 return (error); 768 case IPCTL_IPSEC_IPCOMP_ALGORITHM: 769 NET_LOCK(); 770 error = sysctl_tstring(oldp, oldlenp, newp, newlen, 771 ipsec_def_comp, sizeof(ipsec_def_comp)); 772 NET_UNLOCK(); 773 return (error); 774 case IPCTL_IPSEC_STATS: 775 return (ipsec_sysctl_ipsecstat(oldp, oldlenp, newp)); 776 default: 777 NET_LOCK(); 778 error = sysctl_bounded_arr(ipsecctl_vars, nitems(ipsecctl_vars), 779 name, namelen, oldp, oldlenp, newp, newlen); 780 NET_UNLOCK(); 781 return (error); 782 } 783 } 784 785 int 786 esp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 787 size_t newlen) 788 { 789 int error; 790 791 /* All sysctl names at this level are terminal. */ 792 if (namelen != 1) 793 return (ENOTDIR); 794 795 switch (name[0]) { 796 case ESPCTL_STATS: 797 return (esp_sysctl_espstat(oldp, oldlenp, newp)); 798 default: 799 NET_LOCK(); 800 error = sysctl_bounded_arr(espctl_vars, nitems(espctl_vars), 801 name, namelen, oldp, oldlenp, newp, newlen); 802 NET_UNLOCK(); 803 return (error); 804 } 805 } 806 807 int 808 esp_sysctl_espstat(void *oldp, size_t *oldlenp, void *newp) 809 { 810 struct espstat espstat; 811 812 CTASSERT(sizeof(espstat) == (esps_ncounters * sizeof(uint64_t))); 813 memset(&espstat, 0, sizeof espstat); 814 counters_read(espcounters, (uint64_t *)&espstat, esps_ncounters); 815 return (sysctl_rdstruct(oldp, oldlenp, newp, &espstat, 816 sizeof(espstat))); 817 } 818 819 int 820 ah_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 821 size_t newlen) 822 { 823 int error; 824 825 /* All sysctl names at this level are terminal. */ 826 if (namelen != 1) 827 return (ENOTDIR); 828 829 switch (name[0]) { 830 case AHCTL_STATS: 831 return ah_sysctl_ahstat(oldp, oldlenp, newp); 832 default: 833 NET_LOCK(); 834 error = sysctl_bounded_arr(ahctl_vars, nitems(ahctl_vars), name, 835 namelen, oldp, oldlenp, newp, newlen); 836 NET_UNLOCK(); 837 return (error); 838 } 839 } 840 841 int 842 ah_sysctl_ahstat(void *oldp, size_t *oldlenp, void *newp) 843 { 844 struct ahstat ahstat; 845 846 CTASSERT(sizeof(ahstat) == (ahs_ncounters * sizeof(uint64_t))); 847 memset(&ahstat, 0, sizeof ahstat); 848 counters_read(ahcounters, (uint64_t *)&ahstat, ahs_ncounters); 849 return (sysctl_rdstruct(oldp, oldlenp, newp, &ahstat, sizeof(ahstat))); 850 } 851 852 int 853 ipcomp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 854 size_t newlen) 855 { 856 int error; 857 858 /* All sysctl names at this level are terminal. */ 859 if (namelen != 1) 860 return (ENOTDIR); 861 862 switch (name[0]) { 863 case IPCOMPCTL_STATS: 864 return ipcomp_sysctl_ipcompstat(oldp, oldlenp, newp); 865 default: 866 NET_LOCK(); 867 error = sysctl_bounded_arr(ipcompctl_vars, 868 nitems(ipcompctl_vars), name, namelen, oldp, oldlenp, 869 newp, newlen); 870 NET_UNLOCK(); 871 return (error); 872 } 873 } 874 875 int 876 ipcomp_sysctl_ipcompstat(void *oldp, size_t *oldlenp, void *newp) 877 { 878 struct ipcompstat ipcompstat; 879 880 CTASSERT(sizeof(ipcompstat) == (ipcomps_ncounters * sizeof(uint64_t))); 881 memset(&ipcompstat, 0, sizeof ipcompstat); 882 counters_read(ipcompcounters, (uint64_t *)&ipcompstat, 883 ipcomps_ncounters); 884 return (sysctl_rdstruct(oldp, oldlenp, newp, &ipcompstat, 885 sizeof(ipcompstat))); 886 } 887 888 int 889 ipsec_sysctl_ipsecstat(void *oldp, size_t *oldlenp, void *newp) 890 { 891 struct ipsecstat ipsecstat; 892 893 CTASSERT(sizeof(ipsecstat) == (ipsec_ncounters * sizeof(uint64_t))); 894 memset(&ipsecstat, 0, sizeof ipsecstat); 895 counters_read(ipseccounters, (uint64_t *)&ipsecstat, ipsec_ncounters); 896 return (sysctl_rdstruct(oldp, oldlenp, newp, &ipsecstat, 897 sizeof(ipsecstat))); 898 } 899 900 /* IPv4 AH wrapper. */ 901 int 902 ah4_input(struct mbuf **mp, int *offp, int proto, int af) 903 { 904 if ( 905 #if NPF > 0 906 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 907 #endif 908 !ah_enable) 909 return rip_input(mp, offp, proto, af); 910 911 ipsec_common_input(*mp, *offp, offsetof(struct ip, ip_p), AF_INET, 912 proto, 0); 913 return IPPROTO_DONE; 914 } 915 916 void 917 ah4_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 918 { 919 if (sa->sa_family != AF_INET || 920 sa->sa_len != sizeof(struct sockaddr_in)) 921 return; 922 923 ipsec_common_ctlinput(rdomain, cmd, sa, v, IPPROTO_AH); 924 } 925 926 /* IPv4 ESP wrapper. */ 927 int 928 esp4_input(struct mbuf **mp, int *offp, int proto, int af) 929 { 930 if ( 931 #if NPF > 0 932 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 933 #endif 934 !esp_enable) 935 return rip_input(mp, offp, proto, af); 936 937 ipsec_common_input(*mp, *offp, offsetof(struct ip, ip_p), AF_INET, 938 proto, 0); 939 return IPPROTO_DONE; 940 } 941 942 /* IPv4 IPCOMP wrapper */ 943 int 944 ipcomp4_input(struct mbuf **mp, int *offp, int proto, int af) 945 { 946 if ( 947 #if NPF > 0 948 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 949 #endif 950 !ipcomp_enable) 951 return rip_input(mp, offp, proto, af); 952 953 ipsec_common_input(*mp, *offp, offsetof(struct ip, ip_p), AF_INET, 954 proto, 0); 955 return IPPROTO_DONE; 956 } 957 958 void 959 ipsec_common_ctlinput(u_int rdomain, int cmd, struct sockaddr *sa, 960 void *v, int proto) 961 { 962 struct ip *ip = v; 963 964 if (cmd == PRC_MSGSIZE && ip && ip_mtudisc && ip->ip_v == 4) { 965 struct tdb *tdbp; 966 struct sockaddr_in dst; 967 struct icmp *icp; 968 int hlen = ip->ip_hl << 2; 969 u_int32_t spi, mtu; 970 ssize_t adjust; 971 972 /* Find the right MTU. */ 973 icp = (struct icmp *)((caddr_t) ip - 974 offsetof(struct icmp, icmp_ip)); 975 mtu = ntohs(icp->icmp_nextmtu); 976 977 /* 978 * Ignore the packet, if we do not receive a MTU 979 * or the MTU is too small to be acceptable. 980 */ 981 if (mtu < 296) 982 return; 983 984 memset(&dst, 0, sizeof(struct sockaddr_in)); 985 dst.sin_family = AF_INET; 986 dst.sin_len = sizeof(struct sockaddr_in); 987 dst.sin_addr.s_addr = ip->ip_dst.s_addr; 988 989 memcpy(&spi, (caddr_t)ip + hlen, sizeof(u_int32_t)); 990 991 tdbp = gettdb_rev(rdomain, spi, (union sockaddr_union *)&dst, 992 proto); 993 if (tdbp == NULL || tdbp->tdb_flags & TDBF_INVALID) 994 return; 995 996 /* Walk the chain backwards to the first tdb */ 997 NET_ASSERT_LOCKED(); 998 for (; tdbp; tdbp = tdbp->tdb_inext) { 999 if (tdbp->tdb_flags & TDBF_INVALID || 1000 (adjust = ipsec_hdrsz(tdbp)) == -1) 1001 return; 1002 1003 mtu -= adjust; 1004 1005 /* Store adjusted MTU in tdb */ 1006 tdbp->tdb_mtu = mtu; 1007 tdbp->tdb_mtutimeout = gettime() + 1008 ip_mtudisc_timeout; 1009 DPRINTF("spi %08x mtu %d adjust %ld", 1010 ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, adjust); 1011 } 1012 } 1013 } 1014 1015 void 1016 udpencap_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 1017 { 1018 struct ip *ip = v; 1019 struct tdb *tdbp; 1020 struct icmp *icp; 1021 u_int32_t mtu; 1022 ssize_t adjust; 1023 struct sockaddr_in dst, src; 1024 union sockaddr_union *su_dst, *su_src; 1025 1026 NET_ASSERT_LOCKED(); 1027 1028 icp = (struct icmp *)((caddr_t) ip - offsetof(struct icmp, icmp_ip)); 1029 mtu = ntohs(icp->icmp_nextmtu); 1030 1031 /* 1032 * Ignore the packet, if we do not receive a MTU 1033 * or the MTU is too small to be acceptable. 1034 */ 1035 if (mtu < 296) 1036 return; 1037 1038 memset(&dst, 0, sizeof(dst)); 1039 dst.sin_family = AF_INET; 1040 dst.sin_len = sizeof(struct sockaddr_in); 1041 dst.sin_addr.s_addr = ip->ip_dst.s_addr; 1042 su_dst = (union sockaddr_union *)&dst; 1043 memset(&src, 0, sizeof(src)); 1044 src.sin_family = AF_INET; 1045 src.sin_len = sizeof(struct sockaddr_in); 1046 src.sin_addr.s_addr = ip->ip_src.s_addr; 1047 su_src = (union sockaddr_union *)&src; 1048 1049 tdbp = gettdbbysrcdst_rev(rdomain, 0, su_src, su_dst, 1050 IPPROTO_ESP); 1051 1052 for (; tdbp != NULL; tdbp = tdbp->tdb_snext) { 1053 if (tdbp->tdb_sproto == IPPROTO_ESP && 1054 ((tdbp->tdb_flags & (TDBF_INVALID|TDBF_UDPENCAP)) == 1055 TDBF_UDPENCAP) && 1056 !memcmp(&tdbp->tdb_dst, &dst, su_dst->sa.sa_len) && 1057 !memcmp(&tdbp->tdb_src, &src, su_src->sa.sa_len)) { 1058 if ((adjust = ipsec_hdrsz(tdbp)) != -1) { 1059 /* Store adjusted MTU in tdb */ 1060 tdbp->tdb_mtu = mtu - adjust; 1061 tdbp->tdb_mtutimeout = gettime() + 1062 ip_mtudisc_timeout; 1063 DPRINTF("spi %08x mtu %d adjust %ld", 1064 ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, 1065 adjust); 1066 } 1067 } 1068 } 1069 } 1070 1071 void 1072 esp4_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 1073 { 1074 if (sa->sa_family != AF_INET || 1075 sa->sa_len != sizeof(struct sockaddr_in)) 1076 return; 1077 1078 ipsec_common_ctlinput(rdomain, cmd, sa, v, IPPROTO_ESP); 1079 } 1080 1081 #ifdef INET6 1082 /* IPv6 AH wrapper. */ 1083 int 1084 ah6_input(struct mbuf **mp, int *offp, int proto, int af) 1085 { 1086 int l = 0; 1087 int protoff, nxt; 1088 struct ip6_ext ip6e; 1089 1090 if ( 1091 #if NPF > 0 1092 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 1093 #endif 1094 !ah_enable) 1095 return rip6_input(mp, offp, proto, af); 1096 1097 if (*offp < sizeof(struct ip6_hdr)) { 1098 DPRINTF("bad offset"); 1099 ahstat_inc(ahs_hdrops); 1100 m_freemp(mp); 1101 return IPPROTO_DONE; 1102 } else if (*offp == sizeof(struct ip6_hdr)) { 1103 protoff = offsetof(struct ip6_hdr, ip6_nxt); 1104 } else { 1105 /* Chase down the header chain... */ 1106 protoff = sizeof(struct ip6_hdr); 1107 nxt = (mtod(*mp, struct ip6_hdr *))->ip6_nxt; 1108 1109 do { 1110 protoff += l; 1111 m_copydata(*mp, protoff, sizeof(ip6e), 1112 (caddr_t) &ip6e); 1113 1114 if (nxt == IPPROTO_AH) 1115 l = (ip6e.ip6e_len + 2) << 2; 1116 else 1117 l = (ip6e.ip6e_len + 1) << 3; 1118 #ifdef DIAGNOSTIC 1119 if (l <= 0) 1120 panic("ah6_input: l went zero or negative"); 1121 #endif 1122 1123 nxt = ip6e.ip6e_nxt; 1124 } while (protoff + l < *offp); 1125 1126 /* Malformed packet check */ 1127 if (protoff + l != *offp) { 1128 DPRINTF("bad packet header chain"); 1129 ahstat_inc(ahs_hdrops); 1130 m_freemp(mp); 1131 return IPPROTO_DONE; 1132 } 1133 protoff += offsetof(struct ip6_ext, ip6e_nxt); 1134 } 1135 ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto, 0); 1136 return IPPROTO_DONE; 1137 } 1138 1139 /* IPv6 ESP wrapper. */ 1140 int 1141 esp6_input(struct mbuf **mp, int *offp, int proto, int af) 1142 { 1143 int l = 0; 1144 int protoff, nxt; 1145 struct ip6_ext ip6e; 1146 1147 if ( 1148 #if NPF > 0 1149 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 1150 #endif 1151 !esp_enable) 1152 return rip6_input(mp, offp, proto, af); 1153 1154 if (*offp < sizeof(struct ip6_hdr)) { 1155 DPRINTF("bad offset"); 1156 espstat_inc(esps_hdrops); 1157 m_freemp(mp); 1158 return IPPROTO_DONE; 1159 } else if (*offp == sizeof(struct ip6_hdr)) { 1160 protoff = offsetof(struct ip6_hdr, ip6_nxt); 1161 } else { 1162 /* Chase down the header chain... */ 1163 protoff = sizeof(struct ip6_hdr); 1164 nxt = (mtod(*mp, struct ip6_hdr *))->ip6_nxt; 1165 1166 do { 1167 protoff += l; 1168 m_copydata(*mp, protoff, sizeof(ip6e), 1169 (caddr_t) &ip6e); 1170 1171 if (nxt == IPPROTO_AH) 1172 l = (ip6e.ip6e_len + 2) << 2; 1173 else 1174 l = (ip6e.ip6e_len + 1) << 3; 1175 #ifdef DIAGNOSTIC 1176 if (l <= 0) 1177 panic("esp6_input: l went zero or negative"); 1178 #endif 1179 1180 nxt = ip6e.ip6e_nxt; 1181 } while (protoff + l < *offp); 1182 1183 /* Malformed packet check */ 1184 if (protoff + l != *offp) { 1185 DPRINTF("bad packet header chain"); 1186 espstat_inc(esps_hdrops); 1187 m_freemp(mp); 1188 return IPPROTO_DONE; 1189 } 1190 protoff += offsetof(struct ip6_ext, ip6e_nxt); 1191 } 1192 ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto, 0); 1193 return IPPROTO_DONE; 1194 1195 } 1196 1197 /* IPv6 IPcomp wrapper */ 1198 int 1199 ipcomp6_input(struct mbuf **mp, int *offp, int proto, int af) 1200 { 1201 int l = 0; 1202 int protoff, nxt; 1203 struct ip6_ext ip6e; 1204 1205 if ( 1206 #if NPF > 0 1207 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 1208 #endif 1209 !ipcomp_enable) 1210 return rip6_input(mp, offp, proto, af); 1211 1212 if (*offp < sizeof(struct ip6_hdr)) { 1213 DPRINTF("bad offset"); 1214 ipcompstat_inc(ipcomps_hdrops); 1215 m_freemp(mp); 1216 return IPPROTO_DONE; 1217 } else if (*offp == sizeof(struct ip6_hdr)) { 1218 protoff = offsetof(struct ip6_hdr, ip6_nxt); 1219 } else { 1220 /* Chase down the header chain... */ 1221 protoff = sizeof(struct ip6_hdr); 1222 nxt = (mtod(*mp, struct ip6_hdr *))->ip6_nxt; 1223 1224 do { 1225 protoff += l; 1226 m_copydata(*mp, protoff, sizeof(ip6e), 1227 (caddr_t) &ip6e); 1228 if (nxt == IPPROTO_AH) 1229 l = (ip6e.ip6e_len + 2) << 2; 1230 else 1231 l = (ip6e.ip6e_len + 1) << 3; 1232 #ifdef DIAGNOSTIC 1233 if (l <= 0) 1234 panic("l went zero or negative"); 1235 #endif 1236 1237 nxt = ip6e.ip6e_nxt; 1238 } while (protoff + l < *offp); 1239 1240 /* Malformed packet check */ 1241 if (protoff + l != *offp) { 1242 DPRINTF("bad packet header chain"); 1243 ipcompstat_inc(ipcomps_hdrops); 1244 m_freemp(mp); 1245 return IPPROTO_DONE; 1246 } 1247 1248 protoff += offsetof(struct ip6_ext, ip6e_nxt); 1249 } 1250 ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto, 0); 1251 return IPPROTO_DONE; 1252 } 1253 #endif /* INET6 */ 1254 1255 int 1256 ipsec_forward_check(struct mbuf *m, int hlen, int af) 1257 { 1258 struct tdb *tdb; 1259 struct tdb_ident *tdbi; 1260 struct m_tag *mtag; 1261 int error = 0; 1262 1263 /* 1264 * IPsec policy check for forwarded packets. Look at 1265 * inner-most IPsec SA used. 1266 */ 1267 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 1268 if (mtag != NULL) { 1269 tdbi = (struct tdb_ident *)(mtag + 1); 1270 tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, tdbi->proto); 1271 } else 1272 tdb = NULL; 1273 ipsp_spd_lookup(m, af, hlen, &error, IPSP_DIRECTION_IN, tdb, NULL, 0); 1274 1275 return error; 1276 } 1277 1278 int 1279 ipsec_local_check(struct mbuf *m, int hlen, int proto, int af) 1280 { 1281 struct tdb *tdb; 1282 struct tdb_ident *tdbi; 1283 struct m_tag *mtag; 1284 int error = 0; 1285 1286 /* 1287 * If it's a protected packet for us, skip the policy check. 1288 * That's because we really only care about the properties of 1289 * the protected packet, and not the intermediate versions. 1290 * While this is not the most paranoid setting, it allows 1291 * some flexibility in handling nested tunnels (in setting up 1292 * the policies). 1293 */ 1294 if ((proto == IPPROTO_ESP) || (proto == IPPROTO_AH) || 1295 (proto == IPPROTO_IPCOMP)) 1296 return 0; 1297 1298 /* 1299 * If the protected packet was tunneled, then we need to 1300 * verify the protected packet's information, not the 1301 * external headers. Thus, skip the policy lookup for the 1302 * external packet, and keep the IPsec information linked on 1303 * the packet header (the encapsulation routines know how 1304 * to deal with that). 1305 */ 1306 if ((proto == IPPROTO_IPV4) || (proto == IPPROTO_IPV6)) 1307 return 0; 1308 1309 /* 1310 * When processing IPv6 header chains, do not look at the 1311 * outer header. The inner protocol is relevant and will 1312 * be checked by the local delivery loop later. 1313 */ 1314 if ((af == AF_INET6) && ((proto == IPPROTO_DSTOPTS) || 1315 (proto == IPPROTO_ROUTING) || (proto == IPPROTO_FRAGMENT))) 1316 return 0; 1317 1318 /* 1319 * If the protected packet is TCP or UDP, we'll do the 1320 * policy check in the respective input routine, so we can 1321 * check for bypass sockets. 1322 */ 1323 if ((proto == IPPROTO_TCP) || (proto == IPPROTO_UDP)) 1324 return 0; 1325 1326 /* 1327 * IPsec policy check for local-delivery packets. Look at the 1328 * inner-most SA that protected the packet. This is in fact 1329 * a bit too restrictive (it could end up causing packets to 1330 * be dropped that semantically follow the policy, e.g., in 1331 * certain SA-bundle configurations); but the alternative is 1332 * very complicated (and requires keeping track of what 1333 * kinds of tunneling headers have been seen in-between the 1334 * IPsec headers), and I don't think we lose much functionality 1335 * that's needed in the real world (who uses bundles anyway ?). 1336 */ 1337 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 1338 if (mtag) { 1339 tdbi = (struct tdb_ident *)(mtag + 1); 1340 tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, 1341 tdbi->proto); 1342 } else 1343 tdb = NULL; 1344 ipsp_spd_lookup(m, af, hlen, &error, IPSP_DIRECTION_IN, 1345 tdb, NULL, 0); 1346 1347 return error; 1348 } 1349