1 /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */
2 /*-
3 * The authors of this code are John Ioannidis (ji@tla.org),
4 * Angelos D. Keromytis (kermit@csd.uch.gr) and
5 * Niels Provos (provos@physnet.uni-hamburg.de).
6 *
7 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
8 * in November 1995.
9 *
10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
11 * by Angelos D. Keromytis.
12 *
13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
14 * and Niels Provos.
15 *
16 * Additional features in 1999 by Angelos D. Keromytis.
17 *
18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
19 * Angelos D. Keromytis and Niels Provos.
20 * Copyright (c) 2001, Angelos D. Keromytis.
21 * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org>
22 *
23 * Permission to use, copy, and modify this software with or without fee
24 * is hereby granted, provided that this entire notice is included in
25 * all copies of any software which is or includes a copy or
26 * modification of this software.
27 * You may use this code under the GNU public license if you so wish. Please
28 * contribute changes back to the authors under this freer than GPL license
29 * so that we may further the use of strong encryption without limitations to
30 * all.
31 *
32 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
33 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
34 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
35 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
36 * PURPOSE.
37 */
38
39 /*
40 * IPsec input processing.
41 */
42
43 #include <sys/cdefs.h>
44 #include "opt_inet.h"
45 #include "opt_inet6.h"
46 #include "opt_ipsec.h"
47
48 #include <sys/param.h>
49 #include <sys/systm.h>
50 #include <sys/malloc.h>
51 #include <sys/mbuf.h>
52 #include <sys/domain.h>
53 #include <sys/protosw.h>
54 #include <sys/socket.h>
55 #include <sys/errno.h>
56 #include <sys/hhook.h>
57 #include <sys/stdarg.h>
58 #include <sys/syslog.h>
59
60 #include <net/if.h>
61 #include <net/if_var.h>
62 #include <net/if_enc.h>
63 #include <net/if_private.h>
64 #include <net/netisr.h>
65 #include <net/vnet.h>
66
67 #include <netinet/in.h>
68 #include <netinet/in_pcb.h>
69 #include <netinet/in_systm.h>
70 #include <netinet/ip.h>
71 #include <netinet/ip_var.h>
72 #include <netinet/ip_icmp.h>
73 #include <netinet/in_var.h>
74 #include <netinet/tcp_var.h>
75
76 #include <netinet/ip6.h>
77 #ifdef INET6
78 #include <netinet6/ip6_var.h>
79 #endif
80 #include <netinet/in_pcb.h>
81 #ifdef INET6
82 #include <netinet/icmp6.h>
83 #endif
84
85 #include <netipsec/ipsec.h>
86 #ifdef INET6
87 #include <netipsec/ipsec6.h>
88 #endif
89 #include <netipsec/ipsec_support.h>
90 #include <netipsec/ah_var.h>
91 #include <netipsec/esp.h>
92 #include <netipsec/esp_var.h>
93 #include <netipsec/ipcomp_var.h>
94 #include <netipsec/ipsec_offload.h>
95
96 #include <netipsec/key.h>
97 #include <netipsec/keydb.h>
98 #include <netipsec/key_debug.h>
99
100 #include <netipsec/xform.h>
101
102 #include <machine/in_cksum.h>
103
104 #define IPSEC_ISTAT(proto, name) do { \
105 if ((proto) == IPPROTO_ESP) \
106 ESPSTAT_INC(esps_##name); \
107 else if ((proto) == IPPROTO_AH) \
108 AHSTAT_INC(ahs_##name); \
109 else \
110 IPCOMPSTAT_INC(ipcomps_##name); \
111 } while (0)
112
113 /*
114 * ipsec_common_input gets called when an IPsec-protected packet
115 * is received by IPv4 or IPv6. Its job is to find the right SA
116 * and call the appropriate transform. The transform callback
117 * takes care of further processing (like ingress filtering).
118 */
119 static int
ipsec_common_input(struct mbuf * m,int skip,int protoff,int af,int sproto)120 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
121 {
122 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
123 union sockaddr_union dst_address;
124 struct secasvar *sav;
125 uint32_t spi;
126 int error;
127
128 IPSEC_ISTAT(sproto, input);
129
130 IPSEC_ASSERT(m != NULL, ("null packet"));
131
132 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
133 sproto == IPPROTO_IPCOMP,
134 ("unexpected security protocol %u", sproto));
135
136 if ((sproto == IPPROTO_ESP && !V_esp_enable) ||
137 (sproto == IPPROTO_AH && !V_ah_enable) ||
138 (sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) {
139 m_freem(m);
140 IPSEC_ISTAT(sproto, pdrops);
141 return EOPNOTSUPP;
142 }
143
144 if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) {
145 m_freem(m);
146 IPSEC_ISTAT(sproto, hdrops);
147 DPRINTF(("%s: packet too small\n", __func__));
148 return EINVAL;
149 }
150
151 /* Retrieve the SPI from the relevant IPsec header */
152 if (sproto == IPPROTO_ESP)
153 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi);
154 else if (sproto == IPPROTO_AH)
155 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t),
156 (caddr_t) &spi);
157 else if (sproto == IPPROTO_IPCOMP) {
158 u_int16_t cpi;
159 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t),
160 (caddr_t) &cpi);
161 spi = ntohl(htons(cpi));
162 }
163
164 /*
165 * Find the SA and (indirectly) call the appropriate
166 * kernel crypto routine. The resulting mbuf chain is a valid
167 * IP packet ready to go through input processing.
168 */
169 bzero(&dst_address, sizeof (dst_address));
170 dst_address.sa.sa_family = af;
171 switch (af) {
172 #ifdef INET
173 case AF_INET:
174 dst_address.sin.sin_len = sizeof(struct sockaddr_in);
175 m_copydata(m, offsetof(struct ip, ip_dst),
176 sizeof(struct in_addr),
177 (caddr_t) &dst_address.sin.sin_addr);
178 break;
179 #endif /* INET */
180 #ifdef INET6
181 case AF_INET6:
182 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6);
183 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst),
184 sizeof(struct in6_addr),
185 (caddr_t) &dst_address.sin6.sin6_addr);
186 /* We keep addresses in SADB without embedded scope id */
187 if (IN6_IS_SCOPE_LINKLOCAL(&dst_address.sin6.sin6_addr)) {
188 /* XXX: sa6_recoverscope() */
189 dst_address.sin6.sin6_scope_id =
190 ntohs(dst_address.sin6.sin6_addr.s6_addr16[1]);
191 dst_address.sin6.sin6_addr.s6_addr16[1] = 0;
192 }
193 break;
194 #endif /* INET6 */
195 default:
196 DPRINTF(("%s: unsupported protocol family %u\n", __func__, af));
197 m_freem(m);
198 IPSEC_ISTAT(sproto, nopf);
199 return EPFNOSUPPORT;
200 }
201
202 /* NB: only pass dst since key_allocsa follows RFC2401 */
203 sav = key_allocsa(&dst_address, sproto, spi);
204 if (sav == NULL) {
205 DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n",
206 __func__, ipsec_address(&dst_address, buf, sizeof(buf)),
207 (u_long) ntohl(spi), sproto));
208 IPSEC_ISTAT(sproto, notdb);
209 m_freem(m);
210 return ENOENT;
211 }
212
213 if (sav->tdb_xform == NULL) {
214 DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n",
215 __func__, ipsec_address(&dst_address, buf, sizeof(buf)),
216 (u_long) ntohl(spi), sproto));
217 IPSEC_ISTAT(sproto, noxform);
218 key_freesav(&sav);
219 m_freem(m);
220 return ENXIO;
221 }
222
223 /*
224 * Call appropriate transform and return -- callback takes care of
225 * everything else.
226 */
227 error = (*sav->tdb_xform->xf_input)(m, sav, skip, protoff);
228 return (error);
229 }
230
231 #ifdef INET
232 /*
233 * IPSEC_INPUT() method implementation for IPv4.
234 * 0 - Permitted by inbound security policy for further processing.
235 * EACCES - Forbidden by inbound security policy.
236 * EINPROGRESS - consumed by IPsec.
237 */
238 int
ipsec4_input(struct mbuf * m,int offset,int proto)239 ipsec4_input(struct mbuf *m, int offset, int proto)
240 {
241 int error;
242
243 error = ipsec_accel_input(m, offset, proto);
244 if (error != ENXIO)
245 return (error);
246
247 switch (proto) {
248 case IPPROTO_AH:
249 case IPPROTO_ESP:
250 case IPPROTO_IPCOMP:
251 /* Do inbound IPsec processing for AH/ESP/IPCOMP */
252 ipsec_common_input(m, offset,
253 offsetof(struct ip, ip_p), AF_INET, proto);
254 return (EINPROGRESS); /* mbuf consumed by IPsec */
255 default:
256 /*
257 * Protocols with further headers get their IPsec treatment
258 * within the protocol specific processing.
259 */
260 switch (proto) {
261 case IPPROTO_ICMP:
262 case IPPROTO_IGMP:
263 case IPPROTO_IPV4:
264 case IPPROTO_IPV6:
265 case IPPROTO_RSVP:
266 case IPPROTO_GRE:
267 case IPPROTO_MOBILE:
268 case IPPROTO_ETHERIP:
269 case IPPROTO_PIM:
270 case IPPROTO_SCTP:
271 break;
272 default:
273 return (0);
274 }
275 };
276 /*
277 * Enforce IPsec policy checking if we are seeing last header.
278 */
279 if (ipsec4_in_reject(m, NULL) != 0) {
280 /* Forbidden by inbound security policy */
281 m_freem(m);
282 return (EACCES);
283 }
284 return (0);
285 }
286
287 int
ipsec4_ctlinput(ipsec_ctlinput_param_t param)288 ipsec4_ctlinput(ipsec_ctlinput_param_t param)
289 {
290 struct icmp *icp = param.icmp;
291 struct ip *ip = &icp->icmp_ip;
292 struct sockaddr_in icmpsrc = {
293 .sin_len = sizeof(struct sockaddr_in),
294 .sin_family = AF_INET,
295 .sin_addr = ip->ip_dst,
296 };
297 struct in_conninfo inc;
298 struct secasvar *sav;
299 uint32_t pmtu, spi;
300 uint32_t max_pmtu;
301 uint8_t proto;
302
303 pmtu = ntohs(icp->icmp_nextmtu);
304
305 if (pmtu < V_ip4_ipsec_min_pmtu)
306 return (EINVAL);
307
308 proto = ip->ip_p;
309 if (proto != IPPROTO_ESP && proto != IPPROTO_AH &&
310 proto != IPPROTO_IPCOMP)
311 return (EINVAL);
312
313 memcpy(&spi, (caddr_t)ip + (ip->ip_hl << 2), sizeof(spi));
314 sav = key_allocsa((union sockaddr_union *)&icmpsrc, proto, spi);
315 if (sav == NULL)
316 return (ENOENT);
317
318 key_freesav(&sav);
319
320 memset(&inc, 0, sizeof(inc));
321 inc.inc_faddr = ip->ip_dst;
322
323 /* Update pmtu only if its smaller than the current one. */
324 max_pmtu = tcp_hc_getmtu(&inc);
325 if (max_pmtu == 0)
326 max_pmtu = tcp_maxmtu(&inc, NULL);
327
328 if (pmtu < max_pmtu)
329 tcp_hc_updatemtu(&inc, pmtu);
330
331 return (0);
332 }
333
334 /*
335 * IPsec input callback for INET protocols.
336 * This routine is called as the transform callback.
337 * Takes care of filtering and other sanity checks on
338 * the processed packet.
339 */
340 int
ipsec4_common_input_cb(struct mbuf * m,struct secasvar * sav,int skip,int protoff,struct rm_priotracker * sahtree_tracker)341 ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
342 int protoff, struct rm_priotracker *sahtree_tracker)
343 {
344 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
345 struct epoch_tracker et;
346 struct ipsec_ctx_data ctx;
347 struct xform_history *xh;
348 struct secasindex *saidx;
349 struct m_tag *mtag;
350 struct ip *ip;
351 int error, prot, af, sproto, isr_prot;
352
353 IPSEC_ASSERT(sav != NULL, ("null SA"));
354 IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
355 saidx = &sav->sah->saidx;
356 af = saidx->dst.sa.sa_family;
357 IPSEC_ASSERT(af == AF_INET, ("unexpected af %u", af));
358 sproto = saidx->proto;
359 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
360 sproto == IPPROTO_IPCOMP,
361 ("unexpected security protocol %u", sproto));
362
363 if (skip != 0) {
364 /*
365 * Fix IPv4 header
366 */
367 if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) {
368 DPRINTF(("%s: processing failed for SA %s/%08lx\n",
369 __func__, ipsec_address(&sav->sah->saidx.dst,
370 buf, sizeof(buf)), (u_long) ntohl(sav->spi)));
371 IPSEC_ISTAT(sproto, hdrops);
372 error = ENOBUFS;
373 goto bad_noepoch;
374 }
375
376 ip = mtod(m, struct ip *);
377 ip->ip_len = htons(m->m_pkthdr.len);
378 ip->ip_sum = 0;
379 ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
380 } else {
381 ip = mtod(m, struct ip *);
382 }
383 prot = ip->ip_p;
384 /*
385 * Check that we have NAT-T enabled and apply transport mode
386 * decapsulation NAT procedure (RFC3948).
387 * Do this before invoking into the PFIL.
388 */
389 if (sav->natt != NULL &&
390 (prot == IPPROTO_UDP || prot == IPPROTO_TCP))
391 udp_ipsec_adjust_cksum(m, sav, prot, skip);
392
393 /*
394 * Needed for ipsec_run_hooks and netisr_queue_src
395 */
396 NET_EPOCH_ENTER(et);
397
398 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, AF_INET, IPSEC_ENC_BEFORE);
399 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
400 goto bad;
401 ip = mtod(m, struct ip *); /* update pointer */
402
403 /* IP-in-IP encapsulation */
404 if (prot == IPPROTO_IPIP &&
405 saidx->mode != IPSEC_MODE_TRANSPORT) {
406 if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
407 IPSEC_ISTAT(sproto, hdrops);
408 error = EINVAL;
409 goto bad;
410 }
411 /* enc0: strip outer IPv4 header */
412 m_striphdr(m, 0, ip->ip_hl << 2);
413 }
414 #ifdef INET6
415 /* IPv6-in-IP encapsulation. */
416 else if (prot == IPPROTO_IPV6 &&
417 saidx->mode != IPSEC_MODE_TRANSPORT) {
418 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
419 IPSEC_ISTAT(sproto, hdrops);
420 error = EINVAL;
421 goto bad;
422 }
423 /* enc0: strip IPv4 header, keep IPv6 header only */
424 m_striphdr(m, 0, ip->ip_hl << 2);
425 }
426 #endif /* INET6 */
427 else if (prot != IPPROTO_IPV6 && saidx->mode == IPSEC_MODE_ANY) {
428 /*
429 * When mode is wildcard, inner protocol is IPv6 and
430 * we have no INET6 support - drop this packet a bit later.
431 * In other cases we assume transport mode. Set prot to
432 * correctly choose netisr.
433 */
434 prot = IPPROTO_IPIP;
435 }
436
437 /*
438 * Record what we've done to the packet (under what SA it was
439 * processed).
440 */
441 if (sproto != IPPROTO_IPCOMP) {
442 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
443 sizeof(struct xform_history), M_NOWAIT);
444 if (mtag == NULL) {
445 DPRINTF(("%s: failed to get tag\n", __func__));
446 IPSEC_ISTAT(sproto, hdrops);
447 error = ENOMEM;
448 goto bad;
449 }
450
451 xh = (struct xform_history *)(mtag + 1);
452 bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len);
453 xh->spi = sav->spi;
454 xh->proto = sproto;
455 xh->mode = saidx->mode;
456 m_tag_prepend(m, mtag);
457 }
458
459 key_sa_recordxfer(sav, m); /* record data transfer */
460
461 /*
462 * In transport mode requeue decrypted mbuf back to IPv4 protocol
463 * handler. This is necessary to correctly expose rcvif.
464 */
465 if (saidx->mode == IPSEC_MODE_TRANSPORT)
466 prot = IPPROTO_IPIP;
467 /*
468 * Re-dispatch via software interrupt.
469 */
470 switch (prot) {
471 case IPPROTO_IPIP:
472 isr_prot = NETISR_IP;
473 af = AF_INET;
474 break;
475 #ifdef INET6
476 case IPPROTO_IPV6:
477 isr_prot = NETISR_IPV6;
478 af = AF_INET6;
479 break;
480 #endif
481 default:
482 DPRINTF(("%s: cannot handle inner ip proto %d\n",
483 __func__, prot));
484 IPSEC_ISTAT(sproto, nopf);
485 error = EPFNOSUPPORT;
486 goto bad;
487 }
488
489 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER);
490 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
491 goto bad;
492
493 /* Handle virtual tunneling interfaces */
494 if (saidx->mode == IPSEC_MODE_TUNNEL)
495 error = ipsec_if_input(m, sav, af, sahtree_tracker);
496 else
497 ipsec_sahtree_runlock(sahtree_tracker);
498 if (error == 0) {
499 error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m);
500 if (error) {
501 IPSEC_ISTAT(sproto, qfull);
502 DPRINTF(("%s: queue full; proto %u packet dropped\n",
503 __func__, sproto));
504 }
505 }
506 NET_EPOCH_EXIT(et);
507 key_freesav(&sav);
508 return (error);
509 bad:
510 NET_EPOCH_EXIT(et);
511 bad_noepoch:
512 ipsec_sahtree_runlock(sahtree_tracker);
513 key_freesav(&sav);
514 if (m != NULL)
515 m_freem(m);
516 return (error);
517 }
518 #endif /* INET */
519
520 #ifdef INET6
521 static bool
ipsec6_lasthdr(int proto)522 ipsec6_lasthdr(int proto)
523 {
524
525 switch (proto) {
526 case IPPROTO_IPV4:
527 case IPPROTO_IPV6:
528 case IPPROTO_GRE:
529 case IPPROTO_ICMPV6:
530 case IPPROTO_ETHERIP:
531 case IPPROTO_PIM:
532 case IPPROTO_SCTP:
533 return (true);
534 default:
535 return (false);
536 };
537 }
538
539 /*
540 * IPSEC_INPUT() method implementation for IPv6.
541 * 0 - Permitted by inbound security policy for further processing.
542 * EACCES - Forbidden by inbound security policy.
543 * EINPROGRESS - consumed by IPsec.
544 */
545 int
ipsec6_input(struct mbuf * m,int offset,int proto)546 ipsec6_input(struct mbuf *m, int offset, int proto)
547 {
548 int error;
549
550 error = ipsec_accel_input(m, offset, proto);
551 if (error != ENXIO)
552 return (error);
553
554 switch (proto) {
555 case IPPROTO_AH:
556 case IPPROTO_ESP:
557 case IPPROTO_IPCOMP:
558 /* Do inbound IPsec processing for AH/ESP/IPCOMP */
559 ipsec_common_input(m, offset,
560 offsetof(struct ip6_hdr, ip6_nxt), AF_INET6, proto);
561 return (EINPROGRESS); /* mbuf consumed by IPsec */
562 default:
563 /*
564 * Protocols with further headers get their IPsec treatment
565 * within the protocol specific processing.
566 */
567 if (!ipsec6_lasthdr(proto))
568 return (0);
569 /* FALLTHROUGH */
570 };
571 /*
572 * Enforce IPsec policy checking if we are seeing last header.
573 */
574 if (ipsec6_in_reject(m, NULL) != 0) {
575 /* Forbidden by inbound security policy */
576 m_freem(m);
577 return (EACCES);
578 }
579 return (0);
580 }
581
582 int
ipsec6_ctlinput(ipsec_ctlinput_param_t param)583 ipsec6_ctlinput(ipsec_ctlinput_param_t param)
584 {
585 return (0);
586 }
587
588 extern ipproto_input_t *ip6_protox[];
589
590 /*
591 * IPsec input callback, called by the transform callback. Takes care of
592 * filtering and other sanity checks on the processed packet.
593 */
594 int
ipsec6_common_input_cb(struct mbuf * m,struct secasvar * sav,int skip,int protoff,struct rm_priotracker * sahtree_tracker)595 ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
596 int protoff, struct rm_priotracker *sahtree_tracker)
597 {
598 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
599 struct epoch_tracker et;
600 struct ipsec_ctx_data ctx;
601 struct xform_history *xh;
602 struct secasindex *saidx;
603 struct ip6_hdr *ip6;
604 struct m_tag *mtag;
605 int prot, af, sproto;
606 int nxt, isr_prot;
607 int error, nest;
608 uint8_t nxt8;
609
610 IPSEC_ASSERT(sav != NULL, ("null SA"));
611 IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
612 saidx = &sav->sah->saidx;
613 af = saidx->dst.sa.sa_family;
614 IPSEC_ASSERT(af == AF_INET6, ("unexpected af %u", af));
615 sproto = saidx->proto;
616 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
617 sproto == IPPROTO_IPCOMP,
618 ("unexpected security protocol %u", sproto));
619
620 NET_EPOCH_ENTER(et);
621
622 /* Fix IPv6 header */
623 if (m->m_len < sizeof(struct ip6_hdr) &&
624 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
625 DPRINTF(("%s: processing failed for SA %s/%08lx\n",
626 __func__, ipsec_address(&sav->sah->saidx.dst, buf,
627 sizeof(buf)), (u_long) ntohl(sav->spi)));
628
629 IPSEC_ISTAT(sproto, hdrops);
630 error = EACCES;
631 goto bad;
632 }
633
634 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_BEFORE);
635 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
636 goto bad;
637
638 ip6 = mtod(m, struct ip6_hdr *);
639 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
640
641 /* Save protocol */
642 m_copydata(m, protoff, 1, &nxt8);
643 prot = nxt8;
644
645 /*
646 * Check that we have NAT-T enabled and apply transport mode
647 * decapsulation NAT procedure (RFC3948).
648 * Do this before invoking into the PFIL.
649 */
650 if (sav->natt != NULL &&
651 (prot == IPPROTO_UDP || prot == IPPROTO_TCP))
652 udp_ipsec_adjust_cksum(m, sav, prot, skip);
653
654 /* IPv6-in-IP encapsulation */
655 if (prot == IPPROTO_IPV6 &&
656 saidx->mode != IPSEC_MODE_TRANSPORT) {
657 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
658 IPSEC_ISTAT(sproto, hdrops);
659 error = EINVAL;
660 goto bad;
661 }
662 /* ip6n will now contain the inner IPv6 header. */
663 m_striphdr(m, 0, skip);
664 skip = 0;
665 }
666 #ifdef INET
667 /* IP-in-IP encapsulation */
668 else if (prot == IPPROTO_IPIP &&
669 saidx->mode != IPSEC_MODE_TRANSPORT) {
670 if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
671 IPSEC_ISTAT(sproto, hdrops);
672 error = EINVAL;
673 goto bad;
674 }
675 /* ipn will now contain the inner IPv4 header */
676 m_striphdr(m, 0, skip);
677 skip = 0;
678 }
679 #endif /* INET */
680 else {
681 prot = IPPROTO_IPV6; /* for correct BPF processing */
682 }
683
684 /*
685 * Record what we've done to the packet (under what SA it was
686 * processed).
687 */
688 if (sproto != IPPROTO_IPCOMP) {
689 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
690 sizeof(struct xform_history), M_NOWAIT);
691 if (mtag == NULL) {
692 DPRINTF(("%s: failed to get tag\n", __func__));
693 IPSEC_ISTAT(sproto, hdrops);
694 error = ENOMEM;
695 goto bad;
696 }
697
698 xh = (struct xform_history *)(mtag + 1);
699 bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len);
700 xh->spi = sav->spi;
701 xh->proto = sproto;
702 xh->mode = saidx->mode;
703 m_tag_prepend(m, mtag);
704 }
705
706 key_sa_recordxfer(sav, m);
707
708 #ifdef INET
709 if (prot == IPPROTO_IPIP)
710 af = AF_INET;
711 else
712 #endif
713 af = AF_INET6;
714 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER);
715 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
716 goto bad;
717 if (skip == 0) {
718 /*
719 * We stripped outer IPv6 header.
720 * Now we should requeue decrypted packet via netisr.
721 */
722 switch (prot) {
723 #ifdef INET
724 case IPPROTO_IPIP:
725 isr_prot = NETISR_IP;
726 break;
727 #endif
728 case IPPROTO_IPV6:
729 isr_prot = NETISR_IPV6;
730 break;
731 default:
732 DPRINTF(("%s: cannot handle inner ip proto %d\n",
733 __func__, prot));
734 IPSEC_ISTAT(sproto, nopf);
735 error = EPFNOSUPPORT;
736 goto bad;
737 }
738 /* Handle virtual tunneling interfaces */
739 if (saidx->mode == IPSEC_MODE_TUNNEL)
740 error = ipsec_if_input(m, sav, af, sahtree_tracker);
741 else
742 ipsec_sahtree_runlock(sahtree_tracker);
743 if (error == 0) {
744 error = netisr_queue_src(isr_prot,
745 (uintptr_t)sav->spi, m);
746 if (error) {
747 IPSEC_ISTAT(sproto, qfull);
748 DPRINTF(("%s: queue full; proto %u packet"
749 " dropped\n", __func__, sproto));
750 }
751 }
752 NET_EPOCH_EXIT(et);
753 key_freesav(&sav);
754 return (error);
755 }
756
757 ipsec_sahtree_runlock(sahtree_tracker);
758
759 /*
760 * See the end of ip6_input for this logic.
761 * IPPROTO_IPV[46] case will be processed just like other ones
762 */
763 nest = 0;
764 nxt = nxt8;
765 while (nxt != IPPROTO_DONE) {
766 if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) {
767 IP6STAT_INC(ip6s_toomanyhdr);
768 error = EINVAL;
769 goto bad;
770 }
771
772 /*
773 * Protection against faulty packet - there should be
774 * more sanity checks in header chain processing.
775 */
776 if (m->m_pkthdr.len < skip) {
777 IP6STAT_INC(ip6s_tooshort);
778 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
779 error = EINVAL;
780 goto bad;
781 }
782 /*
783 * Enforce IPsec policy checking if we are seeing last header.
784 * note that we do not visit this with protocols with pcb layer
785 * code - like udp/tcp/raw ip.
786 */
787 if (ipsec6_lasthdr(nxt) && ipsec6_in_reject(m, NULL)) {
788 error = EINVAL;
789 goto bad;
790 }
791 nxt = ip6_protox[nxt](&m, &skip, nxt);
792 }
793 NET_EPOCH_EXIT(et);
794 key_freesav(&sav);
795 return (0);
796 bad:
797 NET_EPOCH_EXIT(et);
798 ipsec_sahtree_runlock(sahtree_tracker);
799 key_freesav(&sav);
800 if (m)
801 m_freem(m);
802 return (error);
803 }
804 #endif /* INET6 */
805