1 /* $OpenBSD: ipsec_input.c,v 1.185 2021/10/22 15:44:20 bluhm Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 8 * in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001, Angelos D. Keromytis. 21 * 22 * Permission to use, copy, and modify this software with or without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38 #include "pf.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/protosw.h> 43 #include <sys/mbuf.h> 44 #include <sys/socket.h> 45 #include <sys/sysctl.h> 46 #include <sys/kernel.h> 47 #include <sys/timeout.h> 48 49 #include <net/if.h> 50 #include <net/if_var.h> 51 #include <net/netisr.h> 52 #include <net/bpf.h> 53 #include <net/route.h> 54 55 #include <netinet/in.h> 56 #include <netinet/ip.h> 57 #include <netinet/ip_var.h> 58 #include <netinet/ip_icmp.h> 59 #include <netinet/tcp.h> 60 #include <netinet/udp.h> 61 62 #if NPF > 0 63 #include <net/pfvar.h> 64 #endif 65 66 #ifdef INET6 67 #include <netinet6/in6_var.h> 68 #include <netinet/ip6.h> 69 #include <netinet6/ip6_var.h> 70 #include <netinet6/ip6protosw.h> 71 #endif /* INET6 */ 72 73 #include <netinet/ip_ipsp.h> 74 #include <netinet/ip_esp.h> 75 #include <netinet/ip_ah.h> 76 #include <netinet/ip_ipcomp.h> 77 78 #include <net/if_enc.h> 79 80 #include <crypto/cryptodev.h> 81 #include <crypto/xform.h> 82 83 #include "bpfilter.h" 84 85 void ipsec_common_ctlinput(u_int, int, struct sockaddr *, void *, int); 86 87 #ifdef ENCDEBUG 88 #define DPRINTF(fmt, args...) \ 89 do { \ 90 if (encdebug) \ 91 printf("%s: " fmt "\n", __func__, ## args); \ 92 } while (0) 93 #else 94 #define DPRINTF(fmt, args...) \ 95 do { } while (0) 96 #endif 97 98 /* sysctl variables */ 99 int encdebug = 0; 100 int ipsec_keep_invalid = IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT; 101 int ipsec_require_pfs = IPSEC_DEFAULT_PFS; 102 int ipsec_soft_allocations = IPSEC_DEFAULT_SOFT_ALLOCATIONS; 103 int ipsec_exp_allocations = IPSEC_DEFAULT_EXP_ALLOCATIONS; 104 int ipsec_soft_bytes = IPSEC_DEFAULT_SOFT_BYTES; 105 int ipsec_exp_bytes = IPSEC_DEFAULT_EXP_BYTES; 106 int ipsec_soft_timeout = IPSEC_DEFAULT_SOFT_TIMEOUT; 107 int ipsec_exp_timeout = IPSEC_DEFAULT_EXP_TIMEOUT; 108 int ipsec_soft_first_use = IPSEC_DEFAULT_SOFT_FIRST_USE; 109 int ipsec_exp_first_use = IPSEC_DEFAULT_EXP_FIRST_USE; 110 int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE; 111 112 int esp_enable = 1; 113 int ah_enable = 1; 114 int ipcomp_enable = 0; 115 116 const struct sysctl_bounded_args espctl_vars[] = { 117 {ESPCTL_ENABLE, &esp_enable, 0, 1}, 118 {ESPCTL_UDPENCAP_ENABLE, &udpencap_enable, 0, 1}, 119 {ESPCTL_UDPENCAP_PORT, &udpencap_port, 0, 65535}, 120 }; 121 const struct sysctl_bounded_args ahctl_vars[] = { 122 {AHCTL_ENABLE, &ah_enable, 0, 1}, 123 }; 124 const struct sysctl_bounded_args ipcompctl_vars[] = { 125 {IPCOMPCTL_ENABLE, &ipcomp_enable, 0, 1}, 126 }; 127 128 struct cpumem *espcounters; 129 struct cpumem *ahcounters; 130 struct cpumem *ipcompcounters; 131 struct cpumem *ipseccounters; 132 133 char ipsec_def_enc[20]; 134 char ipsec_def_auth[20]; 135 char ipsec_def_comp[20]; 136 137 const struct sysctl_bounded_args ipsecctl_vars[] = { 138 { IPSEC_ENCDEBUG, &encdebug, 0, 1 }, 139 { IPSEC_EXPIRE_ACQUIRE, &ipsec_expire_acquire, 0, INT_MAX }, 140 { IPSEC_EMBRYONIC_SA_TIMEOUT, &ipsec_keep_invalid, 0, INT_MAX }, 141 { IPSEC_REQUIRE_PFS, &ipsec_require_pfs, 0, 1 }, 142 { IPSEC_SOFT_ALLOCATIONS, &ipsec_soft_allocations, 0, INT_MAX }, 143 { IPSEC_ALLOCATIONS, &ipsec_exp_allocations, 0, INT_MAX }, 144 { IPSEC_SOFT_BYTES, &ipsec_soft_bytes, 0, INT_MAX }, 145 { IPSEC_BYTES, &ipsec_exp_bytes, 0, INT_MAX }, 146 { IPSEC_TIMEOUT, &ipsec_exp_timeout, 0, INT_MAX }, 147 { IPSEC_SOFT_TIMEOUT, &ipsec_soft_timeout,0, INT_MAX }, 148 { IPSEC_SOFT_FIRSTUSE, &ipsec_soft_first_use, 0, INT_MAX }, 149 { IPSEC_FIRSTUSE, &ipsec_exp_first_use, 0, INT_MAX }, 150 }; 151 152 int esp_sysctl_espstat(void *, size_t *, void *); 153 int ah_sysctl_ahstat(void *, size_t *, void *); 154 int ipcomp_sysctl_ipcompstat(void *, size_t *, void *); 155 int ipsec_sysctl_ipsecstat(void *, size_t *, void *); 156 157 void 158 ipsec_init(void) 159 { 160 espcounters = counters_alloc(esps_ncounters); 161 ahcounters = counters_alloc(ahs_ncounters); 162 ipcompcounters = counters_alloc(ipcomps_ncounters); 163 ipseccounters = counters_alloc(ipsec_ncounters); 164 165 strlcpy(ipsec_def_enc, IPSEC_DEFAULT_DEF_ENC, sizeof(ipsec_def_enc)); 166 strlcpy(ipsec_def_auth, IPSEC_DEFAULT_DEF_AUTH, sizeof(ipsec_def_auth)); 167 strlcpy(ipsec_def_comp, IPSEC_DEFAULT_DEF_COMP, sizeof(ipsec_def_comp)); 168 169 ipsp_init(); 170 } 171 172 /* 173 * ipsec_common_input() gets called when we receive an IPsec-protected packet 174 * in IPv4 or IPv6. All it does is find the right TDB and call the appropriate 175 * transform. The callback takes care of further processing (like ingress 176 * filtering). 177 */ 178 int 179 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, 180 int udpencap) 181 { 182 #define IPSEC_ISTAT(x,y,z) do { \ 183 if (sproto == IPPROTO_ESP) \ 184 espstat_inc(x); \ 185 else if (sproto == IPPROTO_AH) \ 186 ahstat_inc(y); \ 187 else \ 188 ipcompstat_inc(z); \ 189 } while (0) 190 191 union sockaddr_union dst_address; 192 struct tdb *tdbp = NULL; 193 struct ifnet *encif; 194 u_int32_t spi; 195 u_int16_t cpi; 196 int error; 197 #ifdef ENCDEBUG 198 char buf[INET6_ADDRSTRLEN]; 199 #endif 200 201 NET_ASSERT_LOCKED(); 202 203 ipsecstat_pkt(ipsec_ipackets, ipsec_ibytes, m->m_pkthdr.len); 204 IPSEC_ISTAT(esps_input, ahs_input, ipcomps_input); 205 206 if ((sproto == IPPROTO_IPCOMP) && (m->m_flags & M_COMP)) { 207 DPRINTF("repeated decompression"); 208 ipcompstat_inc(ipcomps_pdrops); 209 error = EINVAL; 210 goto drop; 211 } 212 213 if (m->m_pkthdr.len - skip < 2 * sizeof(u_int32_t)) { 214 DPRINTF("packet too small"); 215 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 216 error = EINVAL; 217 goto drop; 218 } 219 220 /* Retrieve the SPI from the relevant IPsec header */ 221 switch (sproto) { 222 case IPPROTO_ESP: 223 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi); 224 break; 225 case IPPROTO_AH: 226 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 227 (caddr_t) &spi); 228 break; 229 case IPPROTO_IPCOMP: 230 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t), 231 (caddr_t) &cpi); 232 spi = ntohl(htons(cpi)); 233 break; 234 default: 235 panic("%s: unknown/unsupported security protocol %d", 236 __func__, sproto); 237 } 238 239 /* 240 * Find tunnel control block and (indirectly) call the appropriate 241 * kernel crypto routine. The resulting mbuf chain is a valid 242 * IP packet ready to go through input processing. 243 */ 244 245 memset(&dst_address, 0, sizeof(dst_address)); 246 dst_address.sa.sa_family = af; 247 248 switch (af) { 249 case AF_INET: 250 dst_address.sin.sin_len = sizeof(struct sockaddr_in); 251 m_copydata(m, offsetof(struct ip, ip_dst), 252 sizeof(struct in_addr), 253 (caddr_t) &(dst_address.sin.sin_addr)); 254 break; 255 256 #ifdef INET6 257 case AF_INET6: 258 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6); 259 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 260 sizeof(struct in6_addr), 261 (caddr_t) &(dst_address.sin6.sin6_addr)); 262 in6_recoverscope(&dst_address.sin6, 263 &dst_address.sin6.sin6_addr); 264 break; 265 #endif /* INET6 */ 266 267 default: 268 DPRINTF("unsupported protocol family %d", af); 269 IPSEC_ISTAT(esps_nopf, ahs_nopf, ipcomps_nopf); 270 error = EPFNOSUPPORT; 271 goto drop; 272 } 273 274 tdbp = gettdb(rtable_l2(m->m_pkthdr.ph_rtableid), 275 spi, &dst_address, sproto); 276 if (tdbp == NULL) { 277 DPRINTF("could not find SA for packet to %s, spi %08x", 278 ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi)); 279 IPSEC_ISTAT(esps_notdb, ahs_notdb, ipcomps_notdb); 280 error = ENOENT; 281 goto drop; 282 } 283 284 if (tdbp->tdb_flags & TDBF_INVALID) { 285 DPRINTF("attempted to use invalid SA %s/%08x/%u", 286 ipsp_address(&dst_address, buf, sizeof(buf)), 287 ntohl(spi), tdbp->tdb_sproto); 288 IPSEC_ISTAT(esps_invalid, ahs_invalid, ipcomps_invalid); 289 error = EINVAL; 290 goto drop; 291 } 292 293 if (udpencap && !(tdbp->tdb_flags & TDBF_UDPENCAP)) { 294 DPRINTF("attempted to use non-udpencap SA %s/%08x/%u", 295 ipsp_address(&dst_address, buf, sizeof(buf)), 296 ntohl(spi), tdbp->tdb_sproto); 297 espstat_inc(esps_udpinval); 298 error = EINVAL; 299 goto drop; 300 } 301 302 if (!udpencap && (tdbp->tdb_flags & TDBF_UDPENCAP)) { 303 DPRINTF("attempted to use udpencap SA %s/%08x/%u", 304 ipsp_address(&dst_address, buf, sizeof(buf)), 305 ntohl(spi), tdbp->tdb_sproto); 306 espstat_inc(esps_udpneeded); 307 error = EINVAL; 308 goto drop; 309 } 310 311 if (tdbp->tdb_xform == NULL) { 312 DPRINTF("attempted to use uninitialized SA %s/%08x/%u", 313 ipsp_address(&dst_address, buf, sizeof(buf)), 314 ntohl(spi), tdbp->tdb_sproto); 315 IPSEC_ISTAT(esps_noxform, ahs_noxform, ipcomps_noxform); 316 error = ENXIO; 317 goto drop; 318 } 319 320 if (sproto != IPPROTO_IPCOMP) { 321 if ((encif = enc_getif(tdbp->tdb_rdomain_post, 322 tdbp->tdb_tap)) == NULL) { 323 DPRINTF("no enc%u interface for SA %s/%08x/%u", 324 tdbp->tdb_tap, 325 ipsp_address(&dst_address, buf, sizeof(buf)), 326 ntohl(spi), tdbp->tdb_sproto); 327 IPSEC_ISTAT(esps_pdrops, ahs_pdrops, ipcomps_pdrops); 328 error = EACCES; 329 goto drop; 330 } 331 332 /* XXX This conflicts with the scoped nature of IPv6 */ 333 m->m_pkthdr.ph_ifidx = encif->if_index; 334 } 335 336 /* Register first use, setup expiration timer. */ 337 if (tdbp->tdb_first_use == 0) { 338 tdbp->tdb_first_use = gettime(); 339 if (tdbp->tdb_flags & TDBF_FIRSTUSE) 340 timeout_add_sec(&tdbp->tdb_first_tmo, 341 tdbp->tdb_exp_first_use); 342 if (tdbp->tdb_flags & TDBF_SOFT_FIRSTUSE) 343 timeout_add_sec(&tdbp->tdb_sfirst_tmo, 344 tdbp->tdb_soft_first_use); 345 } 346 347 tdbp->tdb_ipackets++; 348 tdbp->tdb_ibytes += m->m_pkthdr.len; 349 350 /* 351 * Call appropriate transform and return -- callback takes care of 352 * everything else. 353 */ 354 error = (*(tdbp->tdb_xform->xf_input))(m, tdbp, skip, protoff); 355 if (error) { 356 ipsecstat_inc(ipsec_idrops); 357 tdbp->tdb_idrops++; 358 } 359 return error; 360 361 drop: 362 m_freem(m); 363 ipsecstat_inc(ipsec_idrops); 364 if (tdbp != NULL) 365 tdbp->tdb_idrops++; 366 return error; 367 } 368 369 void 370 ipsec_input_cb(struct cryptop *crp) 371 { 372 struct tdb_crypto *tc = (struct tdb_crypto *) crp->crp_opaque; 373 struct mbuf *m = (struct mbuf *) crp->crp_buf; 374 struct tdb *tdb = NULL; 375 int clen, error; 376 377 NET_ASSERT_LOCKED(); 378 379 if (m == NULL) { 380 DPRINTF("bogus returned buffer from crypto"); 381 ipsecstat_inc(ipsec_crypto); 382 goto drop; 383 } 384 385 tdb = gettdb(tc->tc_rdomain, tc->tc_spi, &tc->tc_dst, tc->tc_proto); 386 if (tdb == NULL) { 387 DPRINTF("TDB is expired while in crypto"); 388 ipsecstat_inc(ipsec_notdb); 389 goto drop; 390 } 391 392 /* Check for crypto errors */ 393 if (crp->crp_etype) { 394 if (crp->crp_etype == EAGAIN) { 395 /* Reset the session ID */ 396 if (tdb->tdb_cryptoid != 0) 397 tdb->tdb_cryptoid = crp->crp_sid; 398 crypto_dispatch(crp); 399 return; 400 } 401 DPRINTF("crypto error %d", crp->crp_etype); 402 ipsecstat_inc(ipsec_noxform); 403 goto drop; 404 } 405 406 /* Length of data after processing */ 407 clen = crp->crp_olen; 408 409 /* Release the crypto descriptors */ 410 crypto_freereq(crp); 411 412 switch (tdb->tdb_sproto) { 413 case IPPROTO_ESP: 414 error = esp_input_cb(tdb, tc, m, clen); 415 break; 416 case IPPROTO_AH: 417 error = ah_input_cb(tdb, tc, m, clen); 418 break; 419 case IPPROTO_IPCOMP: 420 error = ipcomp_input_cb(tdb, tc, m, clen); 421 break; 422 default: 423 panic("%s: unknown/unsupported security protocol %d", 424 __func__, tdb->tdb_sproto); 425 } 426 if (error) { 427 ipsecstat_inc(ipsec_idrops); 428 tdb->tdb_idrops++; 429 } 430 return; 431 432 drop: 433 m_freem(m); 434 free(tc, M_XDATA, 0); 435 crypto_freereq(crp); 436 ipsecstat_inc(ipsec_idrops); 437 if (tdb != NULL) 438 tdb->tdb_idrops++; 439 } 440 441 /* 442 * IPsec input callback, called by the transform callback. Takes care of 443 * filtering and other sanity checks on the processed packet. 444 */ 445 int 446 ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff) 447 { 448 int af, sproto; 449 u_int8_t prot; 450 #if NBPFILTER > 0 451 struct ifnet *encif; 452 #endif 453 struct ip *ip, ipn; 454 #ifdef INET6 455 struct ip6_hdr *ip6, ip6n; 456 #endif /* INET6 */ 457 struct m_tag *mtag; 458 struct tdb_ident *tdbi; 459 #ifdef ENCDEBUG 460 char buf[INET6_ADDRSTRLEN]; 461 #endif 462 463 af = tdbp->tdb_dst.sa.sa_family; 464 sproto = tdbp->tdb_sproto; 465 466 tdbp->tdb_last_used = gettime(); 467 468 /* Fix IPv4 header */ 469 if (af == AF_INET) { 470 if ((m->m_len < skip) && ((m = m_pullup(m, skip)) == NULL)) { 471 DPRINTF("processing failed for SA %s/%08x", 472 ipsp_address(&tdbp->tdb_dst, buf, sizeof(buf)), 473 ntohl(tdbp->tdb_spi)); 474 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 475 goto baddone; 476 } 477 478 ip = mtod(m, struct ip *); 479 ip->ip_len = htons(m->m_pkthdr.len); 480 ip->ip_sum = 0; 481 ip->ip_sum = in_cksum(m, ip->ip_hl << 2); 482 prot = ip->ip_p; 483 484 /* IP-in-IP encapsulation */ 485 if (prot == IPPROTO_IPIP) { 486 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { 487 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 488 ipcomps_hdrops); 489 goto baddone; 490 } 491 /* ipn will now contain the inner IPv4 header */ 492 m_copydata(m, skip, sizeof(struct ip), 493 (caddr_t) &ipn); 494 } 495 496 #ifdef INET6 497 /* IPv6-in-IP encapsulation. */ 498 if (prot == IPPROTO_IPV6) { 499 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { 500 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 501 ipcomps_hdrops); 502 goto baddone; 503 } 504 /* ip6n will now contain the inner IPv6 header. */ 505 m_copydata(m, skip, sizeof(struct ip6_hdr), 506 (caddr_t) &ip6n); 507 } 508 #endif /* INET6 */ 509 } 510 511 #ifdef INET6 512 /* Fix IPv6 header */ 513 if (af == AF_INET6) { 514 if (m->m_len < sizeof(struct ip6_hdr) && 515 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 516 517 DPRINTF("processing failed for SA %s/%08x", 518 ipsp_address(&tdbp->tdb_dst, buf, sizeof(buf)), 519 ntohl(tdbp->tdb_spi)); 520 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 521 goto baddone; 522 } 523 524 ip6 = mtod(m, struct ip6_hdr *); 525 ip6->ip6_plen = htons(m->m_pkthdr.len - skip); 526 527 /* Save protocol */ 528 m_copydata(m, protoff, 1, (caddr_t) &prot); 529 530 /* IP-in-IP encapsulation */ 531 if (prot == IPPROTO_IPIP) { 532 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { 533 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 534 ipcomps_hdrops); 535 goto baddone; 536 } 537 /* ipn will now contain the inner IPv4 header */ 538 m_copydata(m, skip, sizeof(struct ip), (caddr_t) &ipn); 539 } 540 541 /* IPv6-in-IP encapsulation */ 542 if (prot == IPPROTO_IPV6) { 543 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { 544 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 545 ipcomps_hdrops); 546 goto baddone; 547 } 548 /* ip6n will now contain the inner IPv6 header. */ 549 m_copydata(m, skip, sizeof(struct ip6_hdr), 550 (caddr_t) &ip6n); 551 } 552 } 553 #endif /* INET6 */ 554 555 /* 556 * Fix TCP/UDP checksum of UDP encapsulated transport mode ESP packet. 557 * (RFC3948 3.1.2) 558 */ 559 if ((af == AF_INET || af == AF_INET6) && 560 (tdbp->tdb_flags & TDBF_UDPENCAP) && 561 (tdbp->tdb_flags & TDBF_TUNNELING) == 0) { 562 u_int16_t cksum; 563 564 switch (prot) { 565 case IPPROTO_UDP: 566 if (m->m_pkthdr.len < skip + sizeof(struct udphdr)) { 567 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 568 ipcomps_hdrops); 569 goto baddone; 570 } 571 cksum = 0; 572 m_copyback(m, skip + offsetof(struct udphdr, uh_sum), 573 sizeof(cksum), &cksum, M_NOWAIT); 574 #ifdef INET6 575 if (af == AF_INET6) { 576 cksum = in6_cksum(m, IPPROTO_UDP, skip, 577 m->m_pkthdr.len - skip); 578 m_copyback(m, skip + offsetof(struct udphdr, 579 uh_sum), sizeof(cksum), &cksum, M_NOWAIT); 580 } 581 #endif 582 break; 583 case IPPROTO_TCP: 584 if (m->m_pkthdr.len < skip + sizeof(struct tcphdr)) { 585 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 586 ipcomps_hdrops); 587 goto baddone; 588 } 589 cksum = 0; 590 m_copyback(m, skip + offsetof(struct tcphdr, th_sum), 591 sizeof(cksum), &cksum, M_NOWAIT); 592 if (af == AF_INET) 593 cksum = in4_cksum(m, IPPROTO_TCP, skip, 594 m->m_pkthdr.len - skip); 595 #ifdef INET6 596 else if (af == AF_INET6) 597 cksum = in6_cksum(m, IPPROTO_TCP, skip, 598 m->m_pkthdr.len - skip); 599 #endif 600 m_copyback(m, skip + offsetof(struct tcphdr, th_sum), 601 sizeof(cksum), &cksum, M_NOWAIT); 602 break; 603 } 604 } 605 606 /* 607 * Record what we've done to the packet (under what SA it was 608 * processed). 609 */ 610 if (tdbp->tdb_sproto != IPPROTO_IPCOMP) { 611 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 612 sizeof(struct tdb_ident), M_NOWAIT); 613 if (mtag == NULL) { 614 DPRINTF("failed to get tag"); 615 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 616 goto baddone; 617 } 618 619 tdbi = (struct tdb_ident *)(mtag + 1); 620 tdbi->dst = tdbp->tdb_dst; 621 tdbi->proto = tdbp->tdb_sproto; 622 tdbi->spi = tdbp->tdb_spi; 623 tdbi->rdomain = tdbp->tdb_rdomain; 624 625 m_tag_prepend(m, mtag); 626 } 627 628 switch (sproto) { 629 case IPPROTO_ESP: 630 /* Packet is confidential ? */ 631 if (tdbp->tdb_encalgxform) 632 m->m_flags |= M_CONF; 633 634 /* Check if we had authenticated ESP. */ 635 if (tdbp->tdb_authalgxform) 636 m->m_flags |= M_AUTH; 637 break; 638 case IPPROTO_AH: 639 m->m_flags |= M_AUTH; 640 break; 641 case IPPROTO_IPCOMP: 642 m->m_flags |= M_COMP; 643 break; 644 default: 645 panic("%s: unknown/unsupported security protocol %d", 646 __func__, sproto); 647 } 648 649 #if NPF > 0 650 /* Add pf tag if requested. */ 651 pf_tag_packet(m, tdbp->tdb_tag, -1); 652 pf_pkt_addr_changed(m); 653 #endif 654 if (tdbp->tdb_rdomain != tdbp->tdb_rdomain_post) 655 m->m_pkthdr.ph_rtableid = tdbp->tdb_rdomain_post; 656 657 if (tdbp->tdb_flags & TDBF_TUNNELING) 658 m->m_flags |= M_TUNNEL; 659 660 ipsecstat_add(ipsec_idecompbytes, m->m_pkthdr.len); 661 tdbp->tdb_idecompbytes += m->m_pkthdr.len; 662 663 #if NBPFILTER > 0 664 if ((encif = enc_getif(tdbp->tdb_rdomain_post, tdbp->tdb_tap)) != NULL) { 665 encif->if_ipackets++; 666 encif->if_ibytes += m->m_pkthdr.len; 667 668 if (encif->if_bpf) { 669 struct enchdr hdr; 670 671 hdr.af = af; 672 hdr.spi = tdbp->tdb_spi; 673 hdr.flags = m->m_flags & (M_AUTH|M_CONF); 674 675 bpf_mtap_hdr(encif->if_bpf, (char *)&hdr, 676 ENC_HDRLEN, m, BPF_DIRECTION_IN); 677 } 678 } 679 #endif 680 681 #if NPF > 0 682 /* 683 * The ip_deliver() shortcut avoids running through ip_input() with the 684 * same IP header twice. Packets in transport mode have to be be 685 * passed to pf explicitly. In tunnel mode the inner IP header will 686 * run through ip_input() and pf anyway. 687 */ 688 if ((tdbp->tdb_flags & TDBF_TUNNELING) == 0) { 689 struct ifnet *ifp; 690 691 /* This is the enc0 interface unless for ipcomp. */ 692 if ((ifp = if_get(m->m_pkthdr.ph_ifidx)) == NULL) { 693 goto baddone; 694 } 695 if (pf_test(af, PF_IN, ifp, &m) != PF_PASS) { 696 if_put(ifp); 697 goto baddone; 698 } 699 if_put(ifp); 700 if (m == NULL) 701 return 0; 702 } 703 #endif 704 /* Call the appropriate IPsec transform callback. */ 705 ip_deliver(&m, &skip, prot, af); 706 return 0; 707 708 baddone: 709 m_freem(m); 710 return -1; 711 #undef IPSEC_ISTAT 712 } 713 714 int 715 ipsec_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 716 size_t newlen) 717 { 718 int error; 719 720 switch (name[0]) { 721 case IPCTL_IPSEC_ENC_ALGORITHM: 722 NET_LOCK(); 723 error = sysctl_tstring(oldp, oldlenp, newp, newlen, 724 ipsec_def_enc, sizeof(ipsec_def_enc)); 725 NET_UNLOCK(); 726 return (error); 727 case IPCTL_IPSEC_AUTH_ALGORITHM: 728 NET_LOCK(); 729 error = sysctl_tstring(oldp, oldlenp, newp, newlen, 730 ipsec_def_auth, sizeof(ipsec_def_auth)); 731 NET_UNLOCK(); 732 return (error); 733 case IPCTL_IPSEC_IPCOMP_ALGORITHM: 734 NET_LOCK(); 735 error = sysctl_tstring(oldp, oldlenp, newp, newlen, 736 ipsec_def_comp, sizeof(ipsec_def_comp)); 737 NET_UNLOCK(); 738 return (error); 739 case IPCTL_IPSEC_STATS: 740 return (ipsec_sysctl_ipsecstat(oldp, oldlenp, newp)); 741 default: 742 NET_LOCK(); 743 error = sysctl_bounded_arr(ipsecctl_vars, nitems(ipsecctl_vars), 744 name, namelen, oldp, oldlenp, newp, newlen); 745 NET_UNLOCK(); 746 return (error); 747 } 748 } 749 750 int 751 esp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 752 size_t newlen) 753 { 754 int error; 755 756 /* All sysctl names at this level are terminal. */ 757 if (namelen != 1) 758 return (ENOTDIR); 759 760 switch (name[0]) { 761 case ESPCTL_STATS: 762 return (esp_sysctl_espstat(oldp, oldlenp, newp)); 763 default: 764 NET_LOCK(); 765 error = sysctl_bounded_arr(espctl_vars, nitems(espctl_vars), 766 name, namelen, oldp, oldlenp, newp, newlen); 767 NET_UNLOCK(); 768 return (error); 769 } 770 } 771 772 int 773 esp_sysctl_espstat(void *oldp, size_t *oldlenp, void *newp) 774 { 775 struct espstat espstat; 776 777 CTASSERT(sizeof(espstat) == (esps_ncounters * sizeof(uint64_t))); 778 memset(&espstat, 0, sizeof espstat); 779 counters_read(espcounters, (uint64_t *)&espstat, esps_ncounters); 780 return (sysctl_rdstruct(oldp, oldlenp, newp, &espstat, 781 sizeof(espstat))); 782 } 783 784 int 785 ah_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 786 size_t newlen) 787 { 788 int error; 789 790 /* All sysctl names at this level are terminal. */ 791 if (namelen != 1) 792 return (ENOTDIR); 793 794 switch (name[0]) { 795 case AHCTL_STATS: 796 return ah_sysctl_ahstat(oldp, oldlenp, newp); 797 default: 798 NET_LOCK(); 799 error = sysctl_bounded_arr(ahctl_vars, nitems(ahctl_vars), name, 800 namelen, oldp, oldlenp, newp, newlen); 801 NET_UNLOCK(); 802 return (error); 803 } 804 } 805 806 int 807 ah_sysctl_ahstat(void *oldp, size_t *oldlenp, void *newp) 808 { 809 struct ahstat ahstat; 810 811 CTASSERT(sizeof(ahstat) == (ahs_ncounters * sizeof(uint64_t))); 812 memset(&ahstat, 0, sizeof ahstat); 813 counters_read(ahcounters, (uint64_t *)&ahstat, ahs_ncounters); 814 return (sysctl_rdstruct(oldp, oldlenp, newp, &ahstat, sizeof(ahstat))); 815 } 816 817 int 818 ipcomp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 819 size_t newlen) 820 { 821 int error; 822 823 /* All sysctl names at this level are terminal. */ 824 if (namelen != 1) 825 return (ENOTDIR); 826 827 switch (name[0]) { 828 case IPCOMPCTL_STATS: 829 return ipcomp_sysctl_ipcompstat(oldp, oldlenp, newp); 830 default: 831 NET_LOCK(); 832 error = sysctl_bounded_arr(ipcompctl_vars, 833 nitems(ipcompctl_vars), name, namelen, oldp, oldlenp, 834 newp, newlen); 835 NET_UNLOCK(); 836 return (error); 837 } 838 } 839 840 int 841 ipcomp_sysctl_ipcompstat(void *oldp, size_t *oldlenp, void *newp) 842 { 843 struct ipcompstat ipcompstat; 844 845 CTASSERT(sizeof(ipcompstat) == (ipcomps_ncounters * sizeof(uint64_t))); 846 memset(&ipcompstat, 0, sizeof ipcompstat); 847 counters_read(ipcompcounters, (uint64_t *)&ipcompstat, 848 ipcomps_ncounters); 849 return (sysctl_rdstruct(oldp, oldlenp, newp, &ipcompstat, 850 sizeof(ipcompstat))); 851 } 852 853 int 854 ipsec_sysctl_ipsecstat(void *oldp, size_t *oldlenp, void *newp) 855 { 856 struct ipsecstat ipsecstat; 857 858 CTASSERT(sizeof(ipsecstat) == (ipsec_ncounters * sizeof(uint64_t))); 859 memset(&ipsecstat, 0, sizeof ipsecstat); 860 counters_read(ipseccounters, (uint64_t *)&ipsecstat, ipsec_ncounters); 861 return (sysctl_rdstruct(oldp, oldlenp, newp, &ipsecstat, 862 sizeof(ipsecstat))); 863 } 864 865 /* IPv4 AH wrapper. */ 866 int 867 ah4_input(struct mbuf **mp, int *offp, int proto, int af) 868 { 869 if ( 870 #if NPF > 0 871 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 872 #endif 873 !ah_enable) 874 return rip_input(mp, offp, proto, af); 875 876 ipsec_common_input(*mp, *offp, offsetof(struct ip, ip_p), AF_INET, 877 proto, 0); 878 return IPPROTO_DONE; 879 } 880 881 void 882 ah4_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 883 { 884 if (sa->sa_family != AF_INET || 885 sa->sa_len != sizeof(struct sockaddr_in)) 886 return; 887 888 ipsec_common_ctlinput(rdomain, cmd, sa, v, IPPROTO_AH); 889 } 890 891 /* IPv4 ESP wrapper. */ 892 int 893 esp4_input(struct mbuf **mp, int *offp, int proto, int af) 894 { 895 if ( 896 #if NPF > 0 897 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 898 #endif 899 !esp_enable) 900 return rip_input(mp, offp, proto, af); 901 902 ipsec_common_input(*mp, *offp, offsetof(struct ip, ip_p), AF_INET, 903 proto, 0); 904 return IPPROTO_DONE; 905 } 906 907 /* IPv4 IPCOMP wrapper */ 908 int 909 ipcomp4_input(struct mbuf **mp, int *offp, int proto, int af) 910 { 911 if ( 912 #if NPF > 0 913 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 914 #endif 915 !ipcomp_enable) 916 return rip_input(mp, offp, proto, af); 917 918 ipsec_common_input(*mp, *offp, offsetof(struct ip, ip_p), AF_INET, 919 proto, 0); 920 return IPPROTO_DONE; 921 } 922 923 void 924 ipsec_set_mtu(struct tdb *tdbp, u_int32_t mtu) 925 { 926 ssize_t adjust; 927 928 NET_ASSERT_LOCKED(); 929 930 /* Walk the chain backwards to the first tdb */ 931 for (; tdbp != NULL; tdbp = tdbp->tdb_inext) { 932 if (tdbp->tdb_flags & TDBF_INVALID || 933 (adjust = ipsec_hdrsz(tdbp)) == -1) 934 return; 935 936 mtu -= adjust; 937 938 /* Store adjusted MTU in tdb */ 939 tdbp->tdb_mtu = mtu; 940 tdbp->tdb_mtutimeout = gettime() + ip_mtudisc_timeout; 941 DPRINTF("spi %08x mtu %d adjust %ld", 942 ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, adjust); 943 } 944 } 945 946 void 947 ipsec_common_ctlinput(u_int rdomain, int cmd, struct sockaddr *sa, 948 void *v, int proto) 949 { 950 struct ip *ip = v; 951 952 if (cmd == PRC_MSGSIZE && ip && ip_mtudisc && ip->ip_v == 4) { 953 struct tdb *tdbp; 954 struct sockaddr_in dst; 955 struct icmp *icp; 956 int hlen = ip->ip_hl << 2; 957 u_int32_t spi, mtu; 958 959 /* Find the right MTU. */ 960 icp = (struct icmp *)((caddr_t) ip - 961 offsetof(struct icmp, icmp_ip)); 962 mtu = ntohs(icp->icmp_nextmtu); 963 964 /* 965 * Ignore the packet, if we do not receive a MTU 966 * or the MTU is too small to be acceptable. 967 */ 968 if (mtu < 296) 969 return; 970 971 memset(&dst, 0, sizeof(struct sockaddr_in)); 972 dst.sin_family = AF_INET; 973 dst.sin_len = sizeof(struct sockaddr_in); 974 dst.sin_addr.s_addr = ip->ip_dst.s_addr; 975 976 memcpy(&spi, (caddr_t)ip + hlen, sizeof(u_int32_t)); 977 978 tdbp = gettdb_rev(rdomain, spi, (union sockaddr_union *)&dst, 979 proto); 980 ipsec_set_mtu(tdbp, mtu); 981 } 982 } 983 984 void 985 udpencap_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 986 { 987 struct ip *ip = v; 988 struct tdb *tdbp; 989 struct icmp *icp; 990 u_int32_t mtu; 991 struct sockaddr_in dst, src; 992 union sockaddr_union *su_dst, *su_src; 993 994 NET_ASSERT_LOCKED(); 995 996 icp = (struct icmp *)((caddr_t) ip - offsetof(struct icmp, icmp_ip)); 997 mtu = ntohs(icp->icmp_nextmtu); 998 999 /* 1000 * Ignore the packet, if we do not receive a MTU 1001 * or the MTU is too small to be acceptable. 1002 */ 1003 if (mtu < 296) 1004 return; 1005 1006 memset(&dst, 0, sizeof(dst)); 1007 dst.sin_family = AF_INET; 1008 dst.sin_len = sizeof(struct sockaddr_in); 1009 dst.sin_addr.s_addr = ip->ip_dst.s_addr; 1010 su_dst = (union sockaddr_union *)&dst; 1011 memset(&src, 0, sizeof(src)); 1012 src.sin_family = AF_INET; 1013 src.sin_len = sizeof(struct sockaddr_in); 1014 src.sin_addr.s_addr = ip->ip_src.s_addr; 1015 su_src = (union sockaddr_union *)&src; 1016 1017 tdbp = gettdbbysrcdst_rev(rdomain, 0, su_src, su_dst, 1018 IPPROTO_ESP); 1019 1020 for (; tdbp != NULL; tdbp = tdbp->tdb_snext) { 1021 if (tdbp->tdb_sproto == IPPROTO_ESP && 1022 ((tdbp->tdb_flags & (TDBF_INVALID|TDBF_UDPENCAP)) == 1023 TDBF_UDPENCAP) && 1024 !memcmp(&tdbp->tdb_dst, &dst, su_dst->sa.sa_len) && 1025 !memcmp(&tdbp->tdb_src, &src, su_src->sa.sa_len)) { 1026 ipsec_set_mtu(tdbp, mtu); 1027 } 1028 } 1029 } 1030 1031 void 1032 esp4_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 1033 { 1034 if (sa->sa_family != AF_INET || 1035 sa->sa_len != sizeof(struct sockaddr_in)) 1036 return; 1037 1038 ipsec_common_ctlinput(rdomain, cmd, sa, v, IPPROTO_ESP); 1039 } 1040 1041 #ifdef INET6 1042 /* IPv6 AH wrapper. */ 1043 int 1044 ah6_input(struct mbuf **mp, int *offp, int proto, int af) 1045 { 1046 int l = 0; 1047 int protoff, nxt; 1048 struct ip6_ext ip6e; 1049 1050 if ( 1051 #if NPF > 0 1052 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 1053 #endif 1054 !ah_enable) 1055 return rip6_input(mp, offp, proto, af); 1056 1057 if (*offp < sizeof(struct ip6_hdr)) { 1058 DPRINTF("bad offset"); 1059 ahstat_inc(ahs_hdrops); 1060 m_freemp(mp); 1061 return IPPROTO_DONE; 1062 } else if (*offp == sizeof(struct ip6_hdr)) { 1063 protoff = offsetof(struct ip6_hdr, ip6_nxt); 1064 } else { 1065 /* Chase down the header chain... */ 1066 protoff = sizeof(struct ip6_hdr); 1067 nxt = (mtod(*mp, struct ip6_hdr *))->ip6_nxt; 1068 1069 do { 1070 protoff += l; 1071 m_copydata(*mp, protoff, sizeof(ip6e), 1072 (caddr_t) &ip6e); 1073 1074 if (nxt == IPPROTO_AH) 1075 l = (ip6e.ip6e_len + 2) << 2; 1076 else 1077 l = (ip6e.ip6e_len + 1) << 3; 1078 #ifdef DIAGNOSTIC 1079 if (l <= 0) 1080 panic("ah6_input: l went zero or negative"); 1081 #endif 1082 1083 nxt = ip6e.ip6e_nxt; 1084 } while (protoff + l < *offp); 1085 1086 /* Malformed packet check */ 1087 if (protoff + l != *offp) { 1088 DPRINTF("bad packet header chain"); 1089 ahstat_inc(ahs_hdrops); 1090 m_freemp(mp); 1091 return IPPROTO_DONE; 1092 } 1093 protoff += offsetof(struct ip6_ext, ip6e_nxt); 1094 } 1095 ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto, 0); 1096 return IPPROTO_DONE; 1097 } 1098 1099 /* IPv6 ESP wrapper. */ 1100 int 1101 esp6_input(struct mbuf **mp, int *offp, int proto, int af) 1102 { 1103 int l = 0; 1104 int protoff, nxt; 1105 struct ip6_ext ip6e; 1106 1107 if ( 1108 #if NPF > 0 1109 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 1110 #endif 1111 !esp_enable) 1112 return rip6_input(mp, offp, proto, af); 1113 1114 if (*offp < sizeof(struct ip6_hdr)) { 1115 DPRINTF("bad offset"); 1116 espstat_inc(esps_hdrops); 1117 m_freemp(mp); 1118 return IPPROTO_DONE; 1119 } else if (*offp == sizeof(struct ip6_hdr)) { 1120 protoff = offsetof(struct ip6_hdr, ip6_nxt); 1121 } else { 1122 /* Chase down the header chain... */ 1123 protoff = sizeof(struct ip6_hdr); 1124 nxt = (mtod(*mp, struct ip6_hdr *))->ip6_nxt; 1125 1126 do { 1127 protoff += l; 1128 m_copydata(*mp, protoff, sizeof(ip6e), 1129 (caddr_t) &ip6e); 1130 1131 if (nxt == IPPROTO_AH) 1132 l = (ip6e.ip6e_len + 2) << 2; 1133 else 1134 l = (ip6e.ip6e_len + 1) << 3; 1135 #ifdef DIAGNOSTIC 1136 if (l <= 0) 1137 panic("esp6_input: l went zero or negative"); 1138 #endif 1139 1140 nxt = ip6e.ip6e_nxt; 1141 } while (protoff + l < *offp); 1142 1143 /* Malformed packet check */ 1144 if (protoff + l != *offp) { 1145 DPRINTF("bad packet header chain"); 1146 espstat_inc(esps_hdrops); 1147 m_freemp(mp); 1148 return IPPROTO_DONE; 1149 } 1150 protoff += offsetof(struct ip6_ext, ip6e_nxt); 1151 } 1152 ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto, 0); 1153 return IPPROTO_DONE; 1154 1155 } 1156 1157 /* IPv6 IPcomp wrapper */ 1158 int 1159 ipcomp6_input(struct mbuf **mp, int *offp, int proto, int af) 1160 { 1161 int l = 0; 1162 int protoff, nxt; 1163 struct ip6_ext ip6e; 1164 1165 if ( 1166 #if NPF > 0 1167 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 1168 #endif 1169 !ipcomp_enable) 1170 return rip6_input(mp, offp, proto, af); 1171 1172 if (*offp < sizeof(struct ip6_hdr)) { 1173 DPRINTF("bad offset"); 1174 ipcompstat_inc(ipcomps_hdrops); 1175 m_freemp(mp); 1176 return IPPROTO_DONE; 1177 } else if (*offp == sizeof(struct ip6_hdr)) { 1178 protoff = offsetof(struct ip6_hdr, ip6_nxt); 1179 } else { 1180 /* Chase down the header chain... */ 1181 protoff = sizeof(struct ip6_hdr); 1182 nxt = (mtod(*mp, struct ip6_hdr *))->ip6_nxt; 1183 1184 do { 1185 protoff += l; 1186 m_copydata(*mp, protoff, sizeof(ip6e), 1187 (caddr_t) &ip6e); 1188 if (nxt == IPPROTO_AH) 1189 l = (ip6e.ip6e_len + 2) << 2; 1190 else 1191 l = (ip6e.ip6e_len + 1) << 3; 1192 #ifdef DIAGNOSTIC 1193 if (l <= 0) 1194 panic("l went zero or negative"); 1195 #endif 1196 1197 nxt = ip6e.ip6e_nxt; 1198 } while (protoff + l < *offp); 1199 1200 /* Malformed packet check */ 1201 if (protoff + l != *offp) { 1202 DPRINTF("bad packet header chain"); 1203 ipcompstat_inc(ipcomps_hdrops); 1204 m_freemp(mp); 1205 return IPPROTO_DONE; 1206 } 1207 1208 protoff += offsetof(struct ip6_ext, ip6e_nxt); 1209 } 1210 ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto, 0); 1211 return IPPROTO_DONE; 1212 } 1213 #endif /* INET6 */ 1214 1215 int 1216 ipsec_forward_check(struct mbuf *m, int hlen, int af) 1217 { 1218 struct tdb *tdb; 1219 struct tdb_ident *tdbi; 1220 struct m_tag *mtag; 1221 int error = 0; 1222 1223 /* 1224 * IPsec policy check for forwarded packets. Look at 1225 * inner-most IPsec SA used. 1226 */ 1227 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 1228 if (mtag != NULL) { 1229 tdbi = (struct tdb_ident *)(mtag + 1); 1230 tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, tdbi->proto); 1231 } else 1232 tdb = NULL; 1233 ipsp_spd_lookup(m, af, hlen, &error, IPSP_DIRECTION_IN, tdb, NULL, 0); 1234 1235 return error; 1236 } 1237 1238 int 1239 ipsec_local_check(struct mbuf *m, int hlen, int proto, int af) 1240 { 1241 struct tdb *tdb; 1242 struct tdb_ident *tdbi; 1243 struct m_tag *mtag; 1244 int error = 0; 1245 1246 /* 1247 * If it's a protected packet for us, skip the policy check. 1248 * That's because we really only care about the properties of 1249 * the protected packet, and not the intermediate versions. 1250 * While this is not the most paranoid setting, it allows 1251 * some flexibility in handling nested tunnels (in setting up 1252 * the policies). 1253 */ 1254 if ((proto == IPPROTO_ESP) || (proto == IPPROTO_AH) || 1255 (proto == IPPROTO_IPCOMP)) 1256 return 0; 1257 1258 /* 1259 * If the protected packet was tunneled, then we need to 1260 * verify the protected packet's information, not the 1261 * external headers. Thus, skip the policy lookup for the 1262 * external packet, and keep the IPsec information linked on 1263 * the packet header (the encapsulation routines know how 1264 * to deal with that). 1265 */ 1266 if ((proto == IPPROTO_IPV4) || (proto == IPPROTO_IPV6)) 1267 return 0; 1268 1269 /* 1270 * When processing IPv6 header chains, do not look at the 1271 * outer header. The inner protocol is relevant and will 1272 * be checked by the local delivery loop later. 1273 */ 1274 if ((af == AF_INET6) && ((proto == IPPROTO_DSTOPTS) || 1275 (proto == IPPROTO_ROUTING) || (proto == IPPROTO_FRAGMENT))) 1276 return 0; 1277 1278 /* 1279 * If the protected packet is TCP or UDP, we'll do the 1280 * policy check in the respective input routine, so we can 1281 * check for bypass sockets. 1282 */ 1283 if ((proto == IPPROTO_TCP) || (proto == IPPROTO_UDP)) 1284 return 0; 1285 1286 /* 1287 * IPsec policy check for local-delivery packets. Look at the 1288 * inner-most SA that protected the packet. This is in fact 1289 * a bit too restrictive (it could end up causing packets to 1290 * be dropped that semantically follow the policy, e.g., in 1291 * certain SA-bundle configurations); but the alternative is 1292 * very complicated (and requires keeping track of what 1293 * kinds of tunneling headers have been seen in-between the 1294 * IPsec headers), and I don't think we lose much functionality 1295 * that's needed in the real world (who uses bundles anyway ?). 1296 */ 1297 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 1298 if (mtag) { 1299 tdbi = (struct tdb_ident *)(mtag + 1); 1300 tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, 1301 tdbi->proto); 1302 } else 1303 tdb = NULL; 1304 ipsp_spd_lookup(m, af, hlen, &error, IPSP_DIRECTION_IN, 1305 tdb, NULL, 0); 1306 1307 return error; 1308 } 1309