1 /* $OpenBSD: ipsec_input.c,v 1.169 2019/09/30 01:53:05 dlg Exp $ */ 2 /* 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 8 * in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001, Angelos D. Keromytis. 21 * 22 * Permission to use, copy, and modify this software with or without fee 23 * is hereby granted, provided that this entire notice is included in 24 * all copies of any software which is or includes a copy or 25 * modification of this software. 26 * You may use this code under the GNU public license if you so wish. Please 27 * contribute changes back to the authors under this freer than GPL license 28 * so that we may further the use of strong encryption without limitations to 29 * all. 30 * 31 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 32 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 33 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 34 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 35 * PURPOSE. 36 */ 37 38 #include "pf.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/protosw.h> 43 #include <sys/mbuf.h> 44 #include <sys/socket.h> 45 #include <sys/sysctl.h> 46 #include <sys/kernel.h> 47 #include <sys/timeout.h> 48 49 #include <net/if.h> 50 #include <net/if_var.h> 51 #include <net/netisr.h> 52 #include <net/bpf.h> 53 #include <net/route.h> 54 55 #include <netinet/in.h> 56 #include <netinet/ip.h> 57 #include <netinet/ip_var.h> 58 #include <netinet/ip_icmp.h> 59 #include <netinet/tcp.h> 60 #include <netinet/udp.h> 61 62 #if NPF > 0 63 #include <net/pfvar.h> 64 #endif 65 66 #ifdef INET6 67 #include <netinet6/in6_var.h> 68 #include <netinet/ip6.h> 69 #include <netinet6/ip6_var.h> 70 #include <netinet6/ip6protosw.h> 71 #endif /* INET6 */ 72 73 #include <netinet/ip_ipsp.h> 74 #include <netinet/ip_esp.h> 75 #include <netinet/ip_ah.h> 76 #include <netinet/ip_ipcomp.h> 77 78 #include <net/if_enc.h> 79 80 #include <crypto/cryptodev.h> 81 #include <crypto/xform.h> 82 83 #include "bpfilter.h" 84 85 void ipsec_common_ctlinput(u_int, int, struct sockaddr *, void *, int); 86 87 #ifdef ENCDEBUG 88 #define DPRINTF(x) if (encdebug) printf x 89 #else 90 #define DPRINTF(x) 91 #endif 92 93 /* sysctl variables */ 94 int encdebug = 0; 95 int ipsec_keep_invalid = IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT; 96 int ipsec_require_pfs = IPSEC_DEFAULT_PFS; 97 int ipsec_soft_allocations = IPSEC_DEFAULT_SOFT_ALLOCATIONS; 98 int ipsec_exp_allocations = IPSEC_DEFAULT_EXP_ALLOCATIONS; 99 int ipsec_soft_bytes = IPSEC_DEFAULT_SOFT_BYTES; 100 int ipsec_exp_bytes = IPSEC_DEFAULT_EXP_BYTES; 101 int ipsec_soft_timeout = IPSEC_DEFAULT_SOFT_TIMEOUT; 102 int ipsec_exp_timeout = IPSEC_DEFAULT_EXP_TIMEOUT; 103 int ipsec_soft_first_use = IPSEC_DEFAULT_SOFT_FIRST_USE; 104 int ipsec_exp_first_use = IPSEC_DEFAULT_EXP_FIRST_USE; 105 int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE; 106 107 int esp_enable = 1; 108 int ah_enable = 1; 109 int ipcomp_enable = 0; 110 111 int *espctl_vars[ESPCTL_MAXID] = ESPCTL_VARS; 112 int *ahctl_vars[AHCTL_MAXID] = AHCTL_VARS; 113 int *ipcompctl_vars[IPCOMPCTL_MAXID] = IPCOMPCTL_VARS; 114 115 struct cpumem *espcounters; 116 struct cpumem *ahcounters; 117 struct cpumem *ipcompcounters; 118 struct cpumem *ipseccounters; 119 120 char ipsec_def_enc[20]; 121 char ipsec_def_auth[20]; 122 char ipsec_def_comp[20]; 123 124 int *ipsecctl_vars[IPSEC_MAXID] = IPSECCTL_VARS; 125 126 int esp_sysctl_espstat(void *, size_t *, void *); 127 int ah_sysctl_ahstat(void *, size_t *, void *); 128 int ipcomp_sysctl_ipcompstat(void *, size_t *, void *); 129 int ipsec_sysctl_ipsecstat(void *, size_t *, void *); 130 131 void 132 ipsec_init(void) 133 { 134 espcounters = counters_alloc(esps_ncounters); 135 ahcounters = counters_alloc(ahs_ncounters); 136 ipcompcounters = counters_alloc(ipcomps_ncounters); 137 ipseccounters = counters_alloc(ipsec_ncounters); 138 139 strlcpy(ipsec_def_enc, IPSEC_DEFAULT_DEF_ENC, sizeof(ipsec_def_enc)); 140 strlcpy(ipsec_def_auth, IPSEC_DEFAULT_DEF_AUTH, sizeof(ipsec_def_auth)); 141 strlcpy(ipsec_def_comp, IPSEC_DEFAULT_DEF_COMP, sizeof(ipsec_def_comp)); 142 143 } 144 145 /* 146 * ipsec_common_input() gets called when we receive an IPsec-protected packet 147 * in IPv4 or IPv6. All it does is find the right TDB and call the appropriate 148 * transform. The callback takes care of further processing (like ingress 149 * filtering). 150 */ 151 int 152 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, 153 int udpencap) 154 { 155 #define IPSEC_ISTAT(x,y,z) do { \ 156 if (sproto == IPPROTO_ESP) \ 157 espstat_inc(x); \ 158 else if (sproto == IPPROTO_AH) \ 159 ahstat_inc(y); \ 160 else \ 161 ipcompstat_inc(z); \ 162 } while (0) 163 164 union sockaddr_union dst_address; 165 struct tdb *tdbp = NULL; 166 struct ifnet *encif; 167 u_int32_t spi; 168 u_int16_t cpi; 169 int error; 170 #ifdef ENCDEBUG 171 char buf[INET6_ADDRSTRLEN]; 172 #endif 173 174 NET_ASSERT_LOCKED(); 175 176 ipsecstat_inc(ipsec_ipackets); 177 ipsecstat_add(ipsec_ibytes, m->m_pkthdr.len); 178 IPSEC_ISTAT(esps_input, ahs_input, ipcomps_input); 179 180 if (m == NULL) { 181 DPRINTF(("%s: NULL packet received\n", __func__)); 182 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 183 return EINVAL; 184 } 185 186 if ((sproto == IPPROTO_IPCOMP) && (m->m_flags & M_COMP)) { 187 DPRINTF(("%s: repeated decompression\n", __func__)); 188 ipcompstat_inc(ipcomps_pdrops); 189 error = EINVAL; 190 goto drop; 191 } 192 193 if (m->m_pkthdr.len - skip < 2 * sizeof(u_int32_t)) { 194 DPRINTF(("%s: packet too small\n", __func__)); 195 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 196 error = EINVAL; 197 goto drop; 198 } 199 200 /* Retrieve the SPI from the relevant IPsec header */ 201 switch (sproto) { 202 case IPPROTO_ESP: 203 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi); 204 break; 205 case IPPROTO_AH: 206 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 207 (caddr_t) &spi); 208 break; 209 case IPPROTO_IPCOMP: 210 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t), 211 (caddr_t) &cpi); 212 spi = ntohl(htons(cpi)); 213 break; 214 default: 215 panic("%s: unknown/unsupported security protocol %d", 216 __func__, sproto); 217 } 218 219 /* 220 * Find tunnel control block and (indirectly) call the appropriate 221 * kernel crypto routine. The resulting mbuf chain is a valid 222 * IP packet ready to go through input processing. 223 */ 224 225 memset(&dst_address, 0, sizeof(dst_address)); 226 dst_address.sa.sa_family = af; 227 228 switch (af) { 229 case AF_INET: 230 dst_address.sin.sin_len = sizeof(struct sockaddr_in); 231 m_copydata(m, offsetof(struct ip, ip_dst), 232 sizeof(struct in_addr), 233 (caddr_t) &(dst_address.sin.sin_addr)); 234 break; 235 236 #ifdef INET6 237 case AF_INET6: 238 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6); 239 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 240 sizeof(struct in6_addr), 241 (caddr_t) &(dst_address.sin6.sin6_addr)); 242 in6_recoverscope(&dst_address.sin6, 243 &dst_address.sin6.sin6_addr); 244 break; 245 #endif /* INET6 */ 246 247 default: 248 DPRINTF(("%s: unsupported protocol family %d\n", __func__, af)); 249 IPSEC_ISTAT(esps_nopf, ahs_nopf, ipcomps_nopf); 250 error = EPFNOSUPPORT; 251 goto drop; 252 } 253 254 tdbp = gettdb(rtable_l2(m->m_pkthdr.ph_rtableid), 255 spi, &dst_address, sproto); 256 if (tdbp == NULL) { 257 DPRINTF(("%s: could not find SA for packet to %s, spi %08x\n", 258 __func__, 259 ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi))); 260 IPSEC_ISTAT(esps_notdb, ahs_notdb, ipcomps_notdb); 261 error = ENOENT; 262 goto drop; 263 } 264 265 if (tdbp->tdb_flags & TDBF_INVALID) { 266 DPRINTF(("%s: attempted to use invalid SA %s/%08x/%u\n", 267 __func__, ipsp_address(&dst_address, buf, 268 sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); 269 IPSEC_ISTAT(esps_invalid, ahs_invalid, ipcomps_invalid); 270 error = EINVAL; 271 goto drop; 272 } 273 274 if (udpencap && !(tdbp->tdb_flags & TDBF_UDPENCAP)) { 275 DPRINTF(("%s: attempted to use non-udpencap SA %s/%08x/%u\n", 276 __func__, ipsp_address(&dst_address, buf, 277 sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); 278 espstat_inc(esps_udpinval); 279 error = EINVAL; 280 goto drop; 281 } 282 283 if (!udpencap && (tdbp->tdb_flags & TDBF_UDPENCAP)) { 284 DPRINTF(("%s: attempted to use udpencap SA %s/%08x/%u\n", 285 __func__, ipsp_address(&dst_address, buf, 286 sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); 287 espstat_inc(esps_udpneeded); 288 error = EINVAL; 289 goto drop; 290 } 291 292 if (tdbp->tdb_xform == NULL) { 293 DPRINTF(("%s: attempted to use uninitialized SA %s/%08x/%u\n", 294 __func__, ipsp_address(&dst_address, buf, 295 sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); 296 IPSEC_ISTAT(esps_noxform, ahs_noxform, ipcomps_noxform); 297 error = ENXIO; 298 goto drop; 299 } 300 301 if (sproto != IPPROTO_IPCOMP) { 302 if ((encif = enc_getif(tdbp->tdb_rdomain, 303 tdbp->tdb_tap)) == NULL) { 304 DPRINTF(("%s: no enc%u interface for SA %s/%08x/%u\n", 305 __func__, 306 tdbp->tdb_tap, ipsp_address(&dst_address, buf, 307 sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); 308 IPSEC_ISTAT(esps_pdrops, ahs_pdrops, ipcomps_pdrops); 309 error = EACCES; 310 goto drop; 311 } 312 313 /* XXX This conflicts with the scoped nature of IPv6 */ 314 m->m_pkthdr.ph_ifidx = encif->if_index; 315 } 316 317 /* Register first use, setup expiration timer. */ 318 if (tdbp->tdb_first_use == 0) { 319 tdbp->tdb_first_use = time_second; 320 if (tdbp->tdb_flags & TDBF_FIRSTUSE) 321 timeout_add_sec(&tdbp->tdb_first_tmo, 322 tdbp->tdb_exp_first_use); 323 if (tdbp->tdb_flags & TDBF_SOFT_FIRSTUSE) 324 timeout_add_sec(&tdbp->tdb_sfirst_tmo, 325 tdbp->tdb_soft_first_use); 326 } 327 328 tdbp->tdb_ipackets++; 329 tdbp->tdb_ibytes += m->m_pkthdr.len; 330 331 /* 332 * Call appropriate transform and return -- callback takes care of 333 * everything else. 334 */ 335 error = (*(tdbp->tdb_xform->xf_input))(m, tdbp, skip, protoff); 336 if (error) { 337 ipsecstat_inc(ipsec_idrops); 338 tdbp->tdb_idrops++; 339 } 340 return error; 341 342 drop: 343 ipsecstat_inc(ipsec_idrops); 344 if (tdbp != NULL) 345 tdbp->tdb_idrops++; 346 m_freem(m); 347 return error; 348 } 349 350 void 351 ipsec_input_cb(struct cryptop *crp) 352 { 353 struct tdb_crypto *tc = (struct tdb_crypto *) crp->crp_opaque; 354 struct mbuf *m = (struct mbuf *) crp->crp_buf; 355 struct tdb *tdb = NULL; 356 int clen, error; 357 358 if (m == NULL) { 359 DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); 360 ipsecstat_inc(ipsec_crypto); 361 goto droponly; 362 } 363 364 365 NET_LOCK(); 366 tdb = gettdb(tc->tc_rdomain, tc->tc_spi, &tc->tc_dst, tc->tc_proto); 367 if (tdb == NULL) { 368 DPRINTF(("%s: TDB is expired while in crypto", __func__)); 369 ipsecstat_inc(ipsec_notdb); 370 goto baddone; 371 } 372 373 /* Check for crypto errors */ 374 if (crp->crp_etype) { 375 if (crp->crp_etype == EAGAIN) { 376 /* Reset the session ID */ 377 if (tdb->tdb_cryptoid != 0) 378 tdb->tdb_cryptoid = crp->crp_sid; 379 NET_UNLOCK(); 380 crypto_dispatch(crp); 381 return; 382 } 383 DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); 384 ipsecstat_inc(ipsec_noxform); 385 goto baddone; 386 } 387 388 /* Length of data after processing */ 389 clen = crp->crp_olen; 390 391 /* Release the crypto descriptors */ 392 crypto_freereq(crp); 393 394 switch (tdb->tdb_sproto) { 395 case IPPROTO_ESP: 396 error = esp_input_cb(tdb, tc, m, clen); 397 break; 398 case IPPROTO_AH: 399 error = ah_input_cb(tdb, tc, m, clen); 400 break; 401 case IPPROTO_IPCOMP: 402 error = ipcomp_input_cb(tdb, tc, m, clen); 403 break; 404 default: 405 panic("%s: unknown/unsupported security protocol %d", 406 __func__, tdb->tdb_sproto); 407 } 408 409 NET_UNLOCK(); 410 if (error) { 411 ipsecstat_inc(ipsec_idrops); 412 tdb->tdb_idrops++; 413 } 414 return; 415 416 baddone: 417 NET_UNLOCK(); 418 droponly: 419 ipsecstat_inc(ipsec_idrops); 420 if (tdb != NULL) 421 tdb->tdb_idrops++; 422 free(tc, M_XDATA, 0); 423 m_freem(m); 424 crypto_freereq(crp); 425 } 426 427 /* 428 * IPsec input callback, called by the transform callback. Takes care of 429 * filtering and other sanity checks on the processed packet. 430 */ 431 int 432 ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff) 433 { 434 int af, sproto; 435 u_int8_t prot; 436 437 #if NBPFILTER > 0 438 struct ifnet *encif; 439 #endif 440 441 struct ip *ip, ipn; 442 443 #ifdef INET6 444 struct ip6_hdr *ip6, ip6n; 445 #endif /* INET6 */ 446 struct m_tag *mtag; 447 struct tdb_ident *tdbi; 448 449 #ifdef ENCDEBUG 450 char buf[INET6_ADDRSTRLEN]; 451 #endif 452 453 af = tdbp->tdb_dst.sa.sa_family; 454 sproto = tdbp->tdb_sproto; 455 456 tdbp->tdb_last_used = time_second; 457 458 /* Sanity check */ 459 if (m == NULL) { 460 /* The called routine will print a message if necessary */ 461 IPSEC_ISTAT(esps_badkcr, ahs_badkcr, ipcomps_badkcr); 462 return -1; 463 } 464 465 /* Fix IPv4 header */ 466 if (af == AF_INET) { 467 if ((m->m_len < skip) && ((m = m_pullup(m, skip)) == NULL)) { 468 DPRINTF(("%s: processing failed for SA %s/%08x\n", 469 __func__, ipsp_address(&tdbp->tdb_dst, 470 buf, sizeof(buf)), ntohl(tdbp->tdb_spi))); 471 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 472 return -1; 473 } 474 475 ip = mtod(m, struct ip *); 476 ip->ip_len = htons(m->m_pkthdr.len); 477 ip->ip_sum = 0; 478 ip->ip_sum = in_cksum(m, ip->ip_hl << 2); 479 prot = ip->ip_p; 480 481 /* IP-in-IP encapsulation */ 482 if (prot == IPPROTO_IPIP) { 483 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { 484 m_freem(m); 485 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 486 ipcomps_hdrops); 487 return -1; 488 } 489 /* ipn will now contain the inner IPv4 header */ 490 m_copydata(m, skip, sizeof(struct ip), 491 (caddr_t) &ipn); 492 } 493 494 #ifdef INET6 495 /* IPv6-in-IP encapsulation. */ 496 if (prot == IPPROTO_IPV6) { 497 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { 498 m_freem(m); 499 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 500 ipcomps_hdrops); 501 return -1; 502 } 503 /* ip6n will now contain the inner IPv6 header. */ 504 m_copydata(m, skip, sizeof(struct ip6_hdr), 505 (caddr_t) &ip6n); 506 } 507 #endif /* INET6 */ 508 } 509 510 #ifdef INET6 511 /* Fix IPv6 header */ 512 if (af == AF_INET6) 513 { 514 if (m->m_len < sizeof(struct ip6_hdr) && 515 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 516 517 DPRINTF(("%s: processing failed for SA %s/%08x\n", 518 __func__, ipsp_address(&tdbp->tdb_dst, 519 buf, sizeof(buf)), ntohl(tdbp->tdb_spi))); 520 521 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 522 return -1; 523 } 524 525 ip6 = mtod(m, struct ip6_hdr *); 526 ip6->ip6_plen = htons(m->m_pkthdr.len - skip); 527 528 /* Save protocol */ 529 m_copydata(m, protoff, 1, (caddr_t) &prot); 530 531 /* IP-in-IP encapsulation */ 532 if (prot == IPPROTO_IPIP) { 533 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { 534 m_freem(m); 535 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 536 ipcomps_hdrops); 537 return -1; 538 } 539 /* ipn will now contain the inner IPv4 header */ 540 m_copydata(m, skip, sizeof(struct ip), (caddr_t) &ipn); 541 } 542 543 /* IPv6-in-IP encapsulation */ 544 if (prot == IPPROTO_IPV6) { 545 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { 546 m_freem(m); 547 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 548 ipcomps_hdrops); 549 return -1; 550 } 551 /* ip6n will now contain the inner IPv6 header. */ 552 m_copydata(m, skip, sizeof(struct ip6_hdr), 553 (caddr_t) &ip6n); 554 } 555 } 556 #endif /* INET6 */ 557 558 /* 559 * Fix TCP/UDP checksum of UDP encapsulated transport mode ESP packet. 560 * (RFC3948 3.1.2) 561 */ 562 if ((af == AF_INET || af == AF_INET6) && 563 (tdbp->tdb_flags & TDBF_UDPENCAP) && 564 (tdbp->tdb_flags & TDBF_TUNNELING) == 0) { 565 u_int16_t cksum; 566 567 switch (prot) { 568 case IPPROTO_UDP: 569 if (m->m_pkthdr.len < skip + sizeof(struct udphdr)) { 570 m_freem(m); 571 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 572 ipcomps_hdrops); 573 return -1; 574 } 575 cksum = 0; 576 m_copyback(m, skip + offsetof(struct udphdr, uh_sum), 577 sizeof(cksum), &cksum, M_NOWAIT); 578 #ifdef INET6 579 if (af == AF_INET6) { 580 cksum = in6_cksum(m, IPPROTO_UDP, skip, 581 m->m_pkthdr.len - skip); 582 m_copyback(m, skip + offsetof(struct udphdr, 583 uh_sum), sizeof(cksum), &cksum, M_NOWAIT); 584 } 585 #endif 586 break; 587 case IPPROTO_TCP: 588 if (m->m_pkthdr.len < skip + sizeof(struct tcphdr)) { 589 m_freem(m); 590 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, 591 ipcomps_hdrops); 592 return -1; 593 } 594 cksum = 0; 595 m_copyback(m, skip + offsetof(struct tcphdr, th_sum), 596 sizeof(cksum), &cksum, M_NOWAIT); 597 if (af == AF_INET) 598 cksum = in4_cksum(m, IPPROTO_TCP, skip, 599 m->m_pkthdr.len - skip); 600 #ifdef INET6 601 else if (af == AF_INET6) 602 cksum = in6_cksum(m, IPPROTO_TCP, skip, 603 m->m_pkthdr.len - skip); 604 #endif 605 m_copyback(m, skip + offsetof(struct tcphdr, th_sum), 606 sizeof(cksum), &cksum, M_NOWAIT); 607 break; 608 } 609 } 610 611 /* 612 * Record what we've done to the packet (under what SA it was 613 * processed). 614 */ 615 if (tdbp->tdb_sproto != IPPROTO_IPCOMP) { 616 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 617 sizeof(struct tdb_ident), M_NOWAIT); 618 if (mtag == NULL) { 619 m_freem(m); 620 DPRINTF(("%s: failed to get tag\n", __func__)); 621 IPSEC_ISTAT(esps_hdrops, ahs_hdrops, ipcomps_hdrops); 622 return -1; 623 } 624 625 tdbi = (struct tdb_ident *)(mtag + 1); 626 tdbi->dst = tdbp->tdb_dst; 627 tdbi->proto = tdbp->tdb_sproto; 628 tdbi->spi = tdbp->tdb_spi; 629 tdbi->rdomain = tdbp->tdb_rdomain; 630 631 m_tag_prepend(m, mtag); 632 } 633 634 switch (sproto) { 635 case IPPROTO_ESP: 636 /* Packet is confidential ? */ 637 if (tdbp->tdb_encalgxform) 638 m->m_flags |= M_CONF; 639 640 /* Check if we had authenticated ESP. */ 641 if (tdbp->tdb_authalgxform) 642 m->m_flags |= M_AUTH; 643 break; 644 case IPPROTO_AH: 645 m->m_flags |= M_AUTH; 646 break; 647 case IPPROTO_IPCOMP: 648 m->m_flags |= M_COMP; 649 break; 650 default: 651 panic("%s: unknown/unsupported security protocol %d", 652 __func__, sproto); 653 } 654 655 #if NPF > 0 656 /* Add pf tag if requested. */ 657 pf_tag_packet(m, tdbp->tdb_tag, -1); 658 pf_pkt_addr_changed(m); 659 #endif 660 661 if (tdbp->tdb_flags & TDBF_TUNNELING) 662 m->m_flags |= M_TUNNEL; 663 664 ipsecstat_add(ipsec_idecompbytes, m->m_pkthdr.len); 665 tdbp->tdb_idecompbytes += m->m_pkthdr.len; 666 667 #if NBPFILTER > 0 668 if ((encif = enc_getif(tdbp->tdb_rdomain, tdbp->tdb_tap)) != NULL) { 669 encif->if_ipackets++; 670 encif->if_ibytes += m->m_pkthdr.len; 671 672 if (encif->if_bpf) { 673 struct enchdr hdr; 674 675 hdr.af = af; 676 hdr.spi = tdbp->tdb_spi; 677 hdr.flags = m->m_flags & (M_AUTH|M_CONF); 678 679 bpf_mtap_hdr(encif->if_bpf, (char *)&hdr, 680 ENC_HDRLEN, m, BPF_DIRECTION_IN); 681 } 682 } 683 #endif 684 685 #if NPF > 0 686 /* 687 * The ip_deliver() shortcut avoids running through ip_input() with the 688 * same IP header twice. Packets in transport mode have to be be 689 * passed to pf explicitly. In tunnel mode the inner IP header will 690 * run through ip_input() and pf anyway. 691 */ 692 if ((tdbp->tdb_flags & TDBF_TUNNELING) == 0) { 693 struct ifnet *ifp; 694 695 /* This is the enc0 interface unless for ipcomp. */ 696 if ((ifp = if_get(m->m_pkthdr.ph_ifidx)) == NULL) { 697 m_freem(m); 698 return -1; 699 } 700 if (pf_test(af, PF_IN, ifp, &m) != PF_PASS) { 701 if_put(ifp); 702 m_freem(m); 703 return -1; 704 } 705 if_put(ifp); 706 if (m == NULL) 707 return -1; 708 } 709 #endif 710 /* Call the appropriate IPsec transform callback. */ 711 ip_deliver(&m, &skip, prot, af); 712 return 0; 713 #undef IPSEC_ISTAT 714 } 715 716 int 717 ipsec_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 718 size_t newlen) 719 { 720 int error; 721 722 switch (name[0]) { 723 case IPCTL_IPSEC_ENC_ALGORITHM: 724 NET_LOCK(); 725 error = sysctl_tstring(oldp, oldlenp, newp, newlen, 726 ipsec_def_enc, sizeof(ipsec_def_enc)); 727 NET_UNLOCK(); 728 return (error); 729 case IPCTL_IPSEC_AUTH_ALGORITHM: 730 NET_LOCK(); 731 error = sysctl_tstring(oldp, oldlenp, newp, newlen, 732 ipsec_def_auth, sizeof(ipsec_def_auth)); 733 NET_UNLOCK(); 734 return (error); 735 case IPCTL_IPSEC_IPCOMP_ALGORITHM: 736 NET_LOCK(); 737 error = sysctl_tstring(oldp, oldlenp, newp, newlen, 738 ipsec_def_comp, sizeof(ipsec_def_comp)); 739 NET_UNLOCK(); 740 return (error); 741 case IPCTL_IPSEC_STATS: 742 return (ipsec_sysctl_ipsecstat(oldp, oldlenp, newp)); 743 default: 744 if (name[0] < IPSEC_MAXID) { 745 NET_LOCK(); 746 error = sysctl_int_arr(ipsecctl_vars, name, namelen, 747 oldp, oldlenp, newp, newlen); 748 NET_UNLOCK(); 749 return (error); 750 } 751 return (EOPNOTSUPP); 752 } 753 } 754 755 int 756 esp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 757 size_t newlen) 758 { 759 int error; 760 761 /* All sysctl names at this level are terminal. */ 762 if (namelen != 1) 763 return (ENOTDIR); 764 765 switch (name[0]) { 766 case ESPCTL_STATS: 767 return (esp_sysctl_espstat(oldp, oldlenp, newp)); 768 default: 769 if (name[0] < ESPCTL_MAXID) { 770 NET_LOCK(); 771 error = sysctl_int_arr(espctl_vars, name, namelen, 772 oldp, oldlenp, newp, newlen); 773 NET_UNLOCK(); 774 return (error); 775 } 776 return (ENOPROTOOPT); 777 } 778 } 779 780 int 781 esp_sysctl_espstat(void *oldp, size_t *oldlenp, void *newp) 782 { 783 struct espstat espstat; 784 785 CTASSERT(sizeof(espstat) == (esps_ncounters * sizeof(uint64_t))); 786 memset(&espstat, 0, sizeof espstat); 787 counters_read(espcounters, (uint64_t *)&espstat, esps_ncounters); 788 return (sysctl_rdstruct(oldp, oldlenp, newp, &espstat, 789 sizeof(espstat))); 790 } 791 792 int 793 ah_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 794 size_t newlen) 795 { 796 int error; 797 798 /* All sysctl names at this level are terminal. */ 799 if (namelen != 1) 800 return (ENOTDIR); 801 802 switch (name[0]) { 803 case AHCTL_STATS: 804 return ah_sysctl_ahstat(oldp, oldlenp, newp); 805 default: 806 if (name[0] < AHCTL_MAXID) { 807 NET_LOCK(); 808 error = sysctl_int_arr(ahctl_vars, name, namelen, 809 oldp, oldlenp, newp, newlen); 810 NET_UNLOCK(); 811 return (error); 812 } 813 return (ENOPROTOOPT); 814 } 815 } 816 817 int 818 ah_sysctl_ahstat(void *oldp, size_t *oldlenp, void *newp) 819 { 820 struct ahstat ahstat; 821 822 CTASSERT(sizeof(ahstat) == (ahs_ncounters * sizeof(uint64_t))); 823 memset(&ahstat, 0, sizeof ahstat); 824 counters_read(ahcounters, (uint64_t *)&ahstat, ahs_ncounters); 825 return (sysctl_rdstruct(oldp, oldlenp, newp, &ahstat, sizeof(ahstat))); 826 } 827 828 int 829 ipcomp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, 830 size_t newlen) 831 { 832 int error; 833 834 /* All sysctl names at this level are terminal. */ 835 if (namelen != 1) 836 return (ENOTDIR); 837 838 switch (name[0]) { 839 case IPCOMPCTL_STATS: 840 return ipcomp_sysctl_ipcompstat(oldp, oldlenp, newp); 841 default: 842 if (name[0] < IPCOMPCTL_MAXID) { 843 NET_LOCK(); 844 error = sysctl_int_arr(ipcompctl_vars, name, namelen, 845 oldp, oldlenp, newp, newlen); 846 NET_UNLOCK(); 847 return (error); 848 } 849 return (ENOPROTOOPT); 850 } 851 } 852 853 int 854 ipcomp_sysctl_ipcompstat(void *oldp, size_t *oldlenp, void *newp) 855 { 856 struct ipcompstat ipcompstat; 857 858 CTASSERT(sizeof(ipcompstat) == (ipcomps_ncounters * sizeof(uint64_t))); 859 memset(&ipcompstat, 0, sizeof ipcompstat); 860 counters_read(ipcompcounters, (uint64_t *)&ipcompstat, 861 ipcomps_ncounters); 862 return (sysctl_rdstruct(oldp, oldlenp, newp, &ipcompstat, 863 sizeof(ipcompstat))); 864 } 865 866 int 867 ipsec_sysctl_ipsecstat(void *oldp, size_t *oldlenp, void *newp) 868 { 869 struct ipsecstat ipsecstat; 870 871 CTASSERT(sizeof(ipsecstat) == (ipsec_ncounters * sizeof(uint64_t))); 872 memset(&ipsecstat, 0, sizeof ipsecstat); 873 counters_read(ipseccounters, (uint64_t *)&ipsecstat, ipsec_ncounters); 874 return (sysctl_rdstruct(oldp, oldlenp, newp, &ipsecstat, 875 sizeof(ipsecstat))); 876 } 877 878 /* IPv4 AH wrapper. */ 879 int 880 ah4_input(struct mbuf **mp, int *offp, int proto, int af) 881 { 882 if ( 883 #if NPF > 0 884 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 885 #endif 886 !ah_enable) 887 return rip_input(mp, offp, proto, af); 888 889 ipsec_common_input(*mp, *offp, offsetof(struct ip, ip_p), AF_INET, 890 proto, 0); 891 return IPPROTO_DONE; 892 } 893 894 void 895 ah4_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 896 { 897 if (sa->sa_family != AF_INET || 898 sa->sa_len != sizeof(struct sockaddr_in)) 899 return; 900 901 ipsec_common_ctlinput(rdomain, cmd, sa, v, IPPROTO_AH); 902 } 903 904 /* IPv4 ESP wrapper. */ 905 int 906 esp4_input(struct mbuf **mp, int *offp, int proto, int af) 907 { 908 if ( 909 #if NPF > 0 910 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 911 #endif 912 !esp_enable) 913 return rip_input(mp, offp, proto, af); 914 915 ipsec_common_input(*mp, *offp, offsetof(struct ip, ip_p), AF_INET, 916 proto, 0); 917 return IPPROTO_DONE; 918 } 919 920 /* IPv4 IPCOMP wrapper */ 921 int 922 ipcomp4_input(struct mbuf **mp, int *offp, int proto, int af) 923 { 924 if ( 925 #if NPF > 0 926 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 927 #endif 928 !ipcomp_enable) 929 return rip_input(mp, offp, proto, af); 930 931 ipsec_common_input(*mp, *offp, offsetof(struct ip, ip_p), AF_INET, 932 proto, 0); 933 return IPPROTO_DONE; 934 } 935 936 void 937 ipsec_common_ctlinput(u_int rdomain, int cmd, struct sockaddr *sa, 938 void *v, int proto) 939 { 940 struct ip *ip = v; 941 942 if (cmd == PRC_MSGSIZE && ip && ip_mtudisc && ip->ip_v == 4) { 943 struct tdb *tdbp; 944 struct sockaddr_in dst; 945 struct icmp *icp; 946 int hlen = ip->ip_hl << 2; 947 u_int32_t spi, mtu; 948 ssize_t adjust; 949 950 /* Find the right MTU. */ 951 icp = (struct icmp *)((caddr_t) ip - 952 offsetof(struct icmp, icmp_ip)); 953 mtu = ntohs(icp->icmp_nextmtu); 954 955 /* 956 * Ignore the packet, if we do not receive a MTU 957 * or the MTU is too small to be acceptable. 958 */ 959 if (mtu < 296) 960 return; 961 962 memset(&dst, 0, sizeof(struct sockaddr_in)); 963 dst.sin_family = AF_INET; 964 dst.sin_len = sizeof(struct sockaddr_in); 965 dst.sin_addr.s_addr = ip->ip_dst.s_addr; 966 967 memcpy(&spi, (caddr_t)ip + hlen, sizeof(u_int32_t)); 968 969 tdbp = gettdb(rdomain, spi, (union sockaddr_union *)&dst, 970 proto); 971 if (tdbp == NULL || tdbp->tdb_flags & TDBF_INVALID) 972 return; 973 974 /* Walk the chain backwards to the first tdb */ 975 NET_ASSERT_LOCKED(); 976 for (; tdbp; tdbp = tdbp->tdb_inext) { 977 if (tdbp->tdb_flags & TDBF_INVALID || 978 (adjust = ipsec_hdrsz(tdbp)) == -1) 979 return; 980 981 mtu -= adjust; 982 983 /* Store adjusted MTU in tdb */ 984 tdbp->tdb_mtu = mtu; 985 tdbp->tdb_mtutimeout = time_second + 986 ip_mtudisc_timeout; 987 DPRINTF(("%s: spi %08x mtu %d adjust %ld\n", __func__, 988 ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, 989 adjust)); 990 } 991 } 992 } 993 994 void 995 udpencap_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 996 { 997 struct ip *ip = v; 998 struct tdb *tdbp; 999 struct icmp *icp; 1000 u_int32_t mtu; 1001 ssize_t adjust; 1002 struct sockaddr_in dst, src; 1003 union sockaddr_union *su_dst, *su_src; 1004 1005 NET_ASSERT_LOCKED(); 1006 1007 icp = (struct icmp *)((caddr_t) ip - offsetof(struct icmp, icmp_ip)); 1008 mtu = ntohs(icp->icmp_nextmtu); 1009 1010 /* 1011 * Ignore the packet, if we do not receive a MTU 1012 * or the MTU is too small to be acceptable. 1013 */ 1014 if (mtu < 296) 1015 return; 1016 1017 memset(&dst, 0, sizeof(dst)); 1018 dst.sin_family = AF_INET; 1019 dst.sin_len = sizeof(struct sockaddr_in); 1020 dst.sin_addr.s_addr = ip->ip_dst.s_addr; 1021 su_dst = (union sockaddr_union *)&dst; 1022 memset(&src, 0, sizeof(src)); 1023 src.sin_family = AF_INET; 1024 src.sin_len = sizeof(struct sockaddr_in); 1025 src.sin_addr.s_addr = ip->ip_src.s_addr; 1026 su_src = (union sockaddr_union *)&src; 1027 1028 tdbp = gettdbbysrcdst(rdomain, 0, su_src, su_dst, IPPROTO_ESP); 1029 1030 for (; tdbp != NULL; tdbp = tdbp->tdb_snext) { 1031 if (tdbp->tdb_sproto == IPPROTO_ESP && 1032 ((tdbp->tdb_flags & (TDBF_INVALID|TDBF_UDPENCAP)) == 1033 TDBF_UDPENCAP) && 1034 !memcmp(&tdbp->tdb_dst, &dst, su_dst->sa.sa_len) && 1035 !memcmp(&tdbp->tdb_src, &src, su_src->sa.sa_len)) { 1036 if ((adjust = ipsec_hdrsz(tdbp)) != -1) { 1037 /* Store adjusted MTU in tdb */ 1038 tdbp->tdb_mtu = mtu - adjust; 1039 tdbp->tdb_mtutimeout = time_second + 1040 ip_mtudisc_timeout; 1041 DPRINTF(("%s: spi %08x mtu %d adjust %ld\n", 1042 __func__, 1043 ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, 1044 adjust)); 1045 } 1046 } 1047 } 1048 } 1049 1050 void 1051 esp4_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) 1052 { 1053 if (sa->sa_family != AF_INET || 1054 sa->sa_len != sizeof(struct sockaddr_in)) 1055 return; 1056 1057 ipsec_common_ctlinput(rdomain, cmd, sa, v, IPPROTO_ESP); 1058 } 1059 1060 #ifdef INET6 1061 /* IPv6 AH wrapper. */ 1062 int 1063 ah6_input(struct mbuf **mp, int *offp, int proto, int af) 1064 { 1065 int l = 0; 1066 int protoff, nxt; 1067 struct ip6_ext ip6e; 1068 1069 if ( 1070 #if NPF > 0 1071 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 1072 #endif 1073 !ah_enable) 1074 return rip6_input(mp, offp, proto, af); 1075 1076 if (*offp < sizeof(struct ip6_hdr)) { 1077 DPRINTF(("%s: bad offset\n", __func__)); 1078 ahstat_inc(ahs_hdrops); 1079 m_freemp(mp); 1080 return IPPROTO_DONE; 1081 } else if (*offp == sizeof(struct ip6_hdr)) { 1082 protoff = offsetof(struct ip6_hdr, ip6_nxt); 1083 } else { 1084 /* Chase down the header chain... */ 1085 protoff = sizeof(struct ip6_hdr); 1086 nxt = (mtod(*mp, struct ip6_hdr *))->ip6_nxt; 1087 1088 do { 1089 protoff += l; 1090 m_copydata(*mp, protoff, sizeof(ip6e), 1091 (caddr_t) &ip6e); 1092 1093 if (nxt == IPPROTO_AH) 1094 l = (ip6e.ip6e_len + 2) << 2; 1095 else 1096 l = (ip6e.ip6e_len + 1) << 3; 1097 #ifdef DIAGNOSTIC 1098 if (l <= 0) 1099 panic("ah6_input: l went zero or negative"); 1100 #endif 1101 1102 nxt = ip6e.ip6e_nxt; 1103 } while (protoff + l < *offp); 1104 1105 /* Malformed packet check */ 1106 if (protoff + l != *offp) { 1107 DPRINTF(("%s: bad packet header chain\n", __func__)); 1108 ahstat_inc(ahs_hdrops); 1109 m_freemp(mp); 1110 return IPPROTO_DONE; 1111 } 1112 protoff += offsetof(struct ip6_ext, ip6e_nxt); 1113 } 1114 ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto, 0); 1115 return IPPROTO_DONE; 1116 } 1117 1118 /* IPv6 ESP wrapper. */ 1119 int 1120 esp6_input(struct mbuf **mp, int *offp, int proto, int af) 1121 { 1122 int l = 0; 1123 int protoff, nxt; 1124 struct ip6_ext ip6e; 1125 1126 if ( 1127 #if NPF > 0 1128 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 1129 #endif 1130 !esp_enable) 1131 return rip6_input(mp, offp, proto, af); 1132 1133 if (*offp < sizeof(struct ip6_hdr)) { 1134 DPRINTF(("%s: bad offset\n", __func__)); 1135 espstat_inc(esps_hdrops); 1136 m_freemp(mp); 1137 return IPPROTO_DONE; 1138 } else if (*offp == sizeof(struct ip6_hdr)) { 1139 protoff = offsetof(struct ip6_hdr, ip6_nxt); 1140 } else { 1141 /* Chase down the header chain... */ 1142 protoff = sizeof(struct ip6_hdr); 1143 nxt = (mtod(*mp, struct ip6_hdr *))->ip6_nxt; 1144 1145 do { 1146 protoff += l; 1147 m_copydata(*mp, protoff, sizeof(ip6e), 1148 (caddr_t) &ip6e); 1149 1150 if (nxt == IPPROTO_AH) 1151 l = (ip6e.ip6e_len + 2) << 2; 1152 else 1153 l = (ip6e.ip6e_len + 1) << 3; 1154 #ifdef DIAGNOSTIC 1155 if (l <= 0) 1156 panic("esp6_input: l went zero or negative"); 1157 #endif 1158 1159 nxt = ip6e.ip6e_nxt; 1160 } while (protoff + l < *offp); 1161 1162 /* Malformed packet check */ 1163 if (protoff + l != *offp) { 1164 DPRINTF(("%s: bad packet header chain\n", __func__)); 1165 espstat_inc(esps_hdrops); 1166 m_freemp(mp); 1167 return IPPROTO_DONE; 1168 } 1169 protoff += offsetof(struct ip6_ext, ip6e_nxt); 1170 } 1171 ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto, 0); 1172 return IPPROTO_DONE; 1173 1174 } 1175 1176 /* IPv6 IPcomp wrapper */ 1177 int 1178 ipcomp6_input(struct mbuf **mp, int *offp, int proto, int af) 1179 { 1180 int l = 0; 1181 int protoff, nxt; 1182 struct ip6_ext ip6e; 1183 1184 if ( 1185 #if NPF > 0 1186 ((*mp)->m_pkthdr.pf.flags & PF_TAG_DIVERTED) || 1187 #endif 1188 !ipcomp_enable) 1189 return rip6_input(mp, offp, proto, af); 1190 1191 if (*offp < sizeof(struct ip6_hdr)) { 1192 DPRINTF(("%s: bad offset\n", __func__)); 1193 ipcompstat_inc(ipcomps_hdrops); 1194 m_freemp(mp); 1195 return IPPROTO_DONE; 1196 } else if (*offp == sizeof(struct ip6_hdr)) { 1197 protoff = offsetof(struct ip6_hdr, ip6_nxt); 1198 } else { 1199 /* Chase down the header chain... */ 1200 protoff = sizeof(struct ip6_hdr); 1201 nxt = (mtod(*mp, struct ip6_hdr *))->ip6_nxt; 1202 1203 do { 1204 protoff += l; 1205 m_copydata(*mp, protoff, sizeof(ip6e), 1206 (caddr_t) &ip6e); 1207 if (nxt == IPPROTO_AH) 1208 l = (ip6e.ip6e_len + 2) << 2; 1209 else 1210 l = (ip6e.ip6e_len + 1) << 3; 1211 #ifdef DIAGNOSTIC 1212 if (l <= 0) 1213 panic("l went zero or negative"); 1214 #endif 1215 1216 nxt = ip6e.ip6e_nxt; 1217 } while (protoff + l < *offp); 1218 1219 /* Malformed packet check */ 1220 if (protoff + l != *offp) { 1221 DPRINTF(("%s: bad packet header chain\n", __func__)); 1222 ipcompstat_inc(ipcomps_hdrops); 1223 m_freemp(mp); 1224 return IPPROTO_DONE; 1225 } 1226 1227 protoff += offsetof(struct ip6_ext, ip6e_nxt); 1228 } 1229 ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto, 0); 1230 return IPPROTO_DONE; 1231 } 1232 #endif /* INET6 */ 1233 1234 int 1235 ipsec_forward_check(struct mbuf *m, int hlen, int af) 1236 { 1237 struct tdb *tdb; 1238 struct tdb_ident *tdbi; 1239 struct m_tag *mtag; 1240 int error = 0; 1241 1242 /* 1243 * IPsec policy check for forwarded packets. Look at 1244 * inner-most IPsec SA used. 1245 */ 1246 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 1247 if (mtag != NULL) { 1248 tdbi = (struct tdb_ident *)(mtag + 1); 1249 tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, tdbi->proto); 1250 } else 1251 tdb = NULL; 1252 ipsp_spd_lookup(m, af, hlen, &error, IPSP_DIRECTION_IN, tdb, NULL, 0); 1253 1254 return error; 1255 } 1256 1257 int 1258 ipsec_local_check(struct mbuf *m, int hlen, int proto, int af) 1259 { 1260 struct tdb *tdb; 1261 struct tdb_ident *tdbi; 1262 struct m_tag *mtag; 1263 int error = 0; 1264 1265 /* 1266 * If it's a protected packet for us, skip the policy check. 1267 * That's because we really only care about the properties of 1268 * the protected packet, and not the intermediate versions. 1269 * While this is not the most paranoid setting, it allows 1270 * some flexibility in handling nested tunnels (in setting up 1271 * the policies). 1272 */ 1273 if ((proto == IPPROTO_ESP) || (proto == IPPROTO_AH) || 1274 (proto == IPPROTO_IPCOMP)) 1275 return 0; 1276 1277 /* 1278 * If the protected packet was tunneled, then we need to 1279 * verify the protected packet's information, not the 1280 * external headers. Thus, skip the policy lookup for the 1281 * external packet, and keep the IPsec information linked on 1282 * the packet header (the encapsulation routines know how 1283 * to deal with that). 1284 */ 1285 if ((proto == IPPROTO_IPV4) || (proto == IPPROTO_IPV6)) 1286 return 0; 1287 1288 /* 1289 * When processing IPv6 header chains, do not look at the 1290 * outer header. The inner protocol is relevant and will 1291 * be checked by the local delivery loop later. 1292 */ 1293 if ((af == AF_INET6) && ((proto == IPPROTO_DSTOPTS) || 1294 (proto == IPPROTO_ROUTING) || (proto == IPPROTO_FRAGMENT))) 1295 return 0; 1296 1297 /* 1298 * If the protected packet is TCP or UDP, we'll do the 1299 * policy check in the respective input routine, so we can 1300 * check for bypass sockets. 1301 */ 1302 if ((proto == IPPROTO_TCP) || (proto == IPPROTO_UDP)) 1303 return 0; 1304 1305 /* 1306 * IPsec policy check for local-delivery packets. Look at the 1307 * inner-most SA that protected the packet. This is in fact 1308 * a bit too restrictive (it could end up causing packets to 1309 * be dropped that semantically follow the policy, e.g., in 1310 * certain SA-bundle configurations); but the alternative is 1311 * very complicated (and requires keeping track of what 1312 * kinds of tunneling headers have been seen in-between the 1313 * IPsec headers), and I don't think we lose much functionality 1314 * that's needed in the real world (who uses bundles anyway ?). 1315 */ 1316 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); 1317 if (mtag) { 1318 tdbi = (struct tdb_ident *)(mtag + 1); 1319 tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, 1320 tdbi->proto); 1321 } else 1322 tdb = NULL; 1323 ipsp_spd_lookup(m, af, hlen, &error, IPSP_DIRECTION_IN, 1324 tdb, NULL, 0); 1325 1326 return error; 1327 } 1328