1 /* $FreeBSD$ */ 2 /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ 3 /*- 4 * The authors of this code are John Ioannidis (ji@tla.org), 5 * Angelos D. Keromytis (kermit@csd.uch.gr) and 6 * Niels Provos (provos@physnet.uni-hamburg.de). 7 * 8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 9 * in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis. 18 * 19 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 20 * Angelos D. Keromytis and Niels Provos. 21 * Copyright (c) 2001, Angelos D. Keromytis. 22 * 23 * Permission to use, copy, and modify this software with or without fee 24 * is hereby granted, provided that this entire notice is included in 25 * all copies of any software which is or includes a copy or 26 * modification of this software. 27 * You may use this code under the GNU public license if you so wish. Please 28 * contribute changes back to the authors under this freer than GPL license 29 * so that we may further the use of strong encryption without limitations to 30 * all. 31 * 32 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 33 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 34 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 35 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 36 * PURPOSE. 37 */ 38 39 /* 40 * IPsec input processing. 41 */ 42 43 #include "opt_inet.h" 44 #include "opt_inet6.h" 45 #include "opt_ipsec.h" 46 47 #include <sys/param.h> 48 #include <sys/systm.h> 49 #include <sys/malloc.h> 50 #include <sys/mbuf.h> 51 #include <sys/domain.h> 52 #include <sys/protosw.h> 53 #include <sys/socket.h> 54 #include <sys/errno.h> 55 #include <sys/hhook.h> 56 #include <sys/syslog.h> 57 58 #include <net/if.h> 59 #include <net/if_var.h> 60 #include <net/if_enc.h> 61 #include <net/netisr.h> 62 #include <net/vnet.h> 63 64 #include <netinet/in.h> 65 #include <netinet/in_systm.h> 66 #include <netinet/ip.h> 67 #include <netinet/ip_var.h> 68 #include <netinet/in_var.h> 69 70 #include <netinet/ip6.h> 71 #ifdef INET6 72 #include <netinet6/ip6_var.h> 73 #endif 74 #include <netinet/in_pcb.h> 75 #ifdef INET6 76 #include <netinet/icmp6.h> 77 #endif 78 79 #include <netipsec/ipsec.h> 80 #ifdef INET6 81 #include <netipsec/ipsec6.h> 82 #endif 83 #include <netipsec/ah_var.h> 84 #include <netipsec/esp.h> 85 #include <netipsec/esp_var.h> 86 #include <netipsec/ipcomp_var.h> 87 88 #include <netipsec/key.h> 89 #include <netipsec/keydb.h> 90 91 #include <netipsec/xform.h> 92 #include <netinet6/ip6protosw.h> 93 94 #include <machine/in_cksum.h> 95 #include <machine/stdarg.h> 96 97 98 #define IPSEC_ISTAT(proto, name) do { \ 99 if ((proto) == IPPROTO_ESP) \ 100 ESPSTAT_INC(esps_##name); \ 101 else if ((proto) == IPPROTO_AH) \ 102 AHSTAT_INC(ahs_##name); \ 103 else \ 104 IPCOMPSTAT_INC(ipcomps_##name); \ 105 } while (0) 106 107 #ifdef INET 108 static void ipsec4_common_ctlinput(int, struct sockaddr *, void *, int); 109 #endif 110 111 /* 112 * ipsec_common_input gets called when an IPsec-protected packet 113 * is received by IPv4 or IPv6. Its job is to find the right SA 114 * and call the appropriate transform. The transform callback 115 * takes care of further processing (like ingress filtering). 116 */ 117 int 118 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) 119 { 120 char buf[INET6_ADDRSTRLEN]; 121 union sockaddr_union dst_address; 122 struct secasvar *sav; 123 u_int32_t spi; 124 int error; 125 #ifdef INET 126 #ifdef IPSEC_NAT_T 127 struct m_tag *tag; 128 #endif 129 #endif 130 131 IPSEC_ISTAT(sproto, input); 132 133 IPSEC_ASSERT(m != NULL, ("null packet")); 134 135 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 136 sproto == IPPROTO_IPCOMP, 137 ("unexpected security protocol %u", sproto)); 138 139 if ((sproto == IPPROTO_ESP && !V_esp_enable) || 140 (sproto == IPPROTO_AH && !V_ah_enable) || 141 (sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) { 142 m_freem(m); 143 IPSEC_ISTAT(sproto, pdrops); 144 return EOPNOTSUPP; 145 } 146 147 if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) { 148 m_freem(m); 149 IPSEC_ISTAT(sproto, hdrops); 150 DPRINTF(("%s: packet too small\n", __func__)); 151 return EINVAL; 152 } 153 154 /* Retrieve the SPI from the relevant IPsec header */ 155 if (sproto == IPPROTO_ESP) 156 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi); 157 else if (sproto == IPPROTO_AH) 158 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 159 (caddr_t) &spi); 160 else if (sproto == IPPROTO_IPCOMP) { 161 u_int16_t cpi; 162 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t), 163 (caddr_t) &cpi); 164 spi = ntohl(htons(cpi)); 165 } 166 167 /* 168 * Find the SA and (indirectly) call the appropriate 169 * kernel crypto routine. The resulting mbuf chain is a valid 170 * IP packet ready to go through input processing. 171 */ 172 bzero(&dst_address, sizeof (dst_address)); 173 dst_address.sa.sa_family = af; 174 switch (af) { 175 #ifdef INET 176 case AF_INET: 177 dst_address.sin.sin_len = sizeof(struct sockaddr_in); 178 m_copydata(m, offsetof(struct ip, ip_dst), 179 sizeof(struct in_addr), 180 (caddr_t) &dst_address.sin.sin_addr); 181 #ifdef IPSEC_NAT_T 182 /* Find the source port for NAT-T; see udp*_espdecap. */ 183 tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL); 184 if (tag != NULL) 185 dst_address.sin.sin_port = ((u_int16_t *)(tag + 1))[1]; 186 #endif /* IPSEC_NAT_T */ 187 break; 188 #endif /* INET */ 189 #ifdef INET6 190 case AF_INET6: 191 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6); 192 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 193 sizeof(struct in6_addr), 194 (caddr_t) &dst_address.sin6.sin6_addr); 195 /* We keep addresses in SADB without embedded scope id */ 196 if (IN6_IS_SCOPE_LINKLOCAL(&dst_address.sin6.sin6_addr)) { 197 /* XXX: sa6_recoverscope() */ 198 dst_address.sin6.sin6_scope_id = 199 ntohs(dst_address.sin6.sin6_addr.s6_addr16[1]); 200 dst_address.sin6.sin6_addr.s6_addr16[1] = 0; 201 } 202 break; 203 #endif /* INET6 */ 204 default: 205 DPRINTF(("%s: unsupported protocol family %u\n", __func__, af)); 206 m_freem(m); 207 IPSEC_ISTAT(sproto, nopf); 208 return EPFNOSUPPORT; 209 } 210 211 /* NB: only pass dst since key_allocsa follows RFC2401 */ 212 sav = KEY_ALLOCSA(&dst_address, sproto, spi); 213 if (sav == NULL) { 214 DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n", 215 __func__, ipsec_address(&dst_address, buf, sizeof(buf)), 216 (u_long) ntohl(spi), sproto)); 217 IPSEC_ISTAT(sproto, notdb); 218 m_freem(m); 219 return ENOENT; 220 } 221 222 if (sav->tdb_xform == NULL) { 223 DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n", 224 __func__, ipsec_address(&dst_address, buf, sizeof(buf)), 225 (u_long) ntohl(spi), sproto)); 226 IPSEC_ISTAT(sproto, noxform); 227 KEY_FREESAV(&sav); 228 m_freem(m); 229 return ENXIO; 230 } 231 232 /* 233 * Call appropriate transform and return -- callback takes care of 234 * everything else. 235 */ 236 error = (*sav->tdb_xform->xf_input)(m, sav, skip, protoff); 237 KEY_FREESAV(&sav); 238 return error; 239 } 240 241 #ifdef INET 242 int 243 ah4_input(struct mbuf **mp, int *offp, int proto) 244 { 245 struct mbuf *m; 246 int off; 247 248 m = *mp; 249 off = *offp; 250 *mp = NULL; 251 252 ipsec_common_input(m, off, offsetof(struct ip, ip_p), 253 AF_INET, IPPROTO_AH); 254 return (IPPROTO_DONE); 255 } 256 void 257 ah4_ctlinput(int cmd, struct sockaddr *sa, void *v) 258 { 259 if (sa->sa_family == AF_INET && 260 sa->sa_len == sizeof(struct sockaddr_in)) 261 ipsec4_common_ctlinput(cmd, sa, v, IPPROTO_AH); 262 } 263 264 int 265 esp4_input(struct mbuf **mp, int *offp, int proto) 266 { 267 struct mbuf *m; 268 int off; 269 270 m = *mp; 271 off = *offp; 272 mp = NULL; 273 274 ipsec_common_input(m, off, offsetof(struct ip, ip_p), 275 AF_INET, IPPROTO_ESP); 276 return (IPPROTO_DONE); 277 } 278 279 void 280 esp4_ctlinput(int cmd, struct sockaddr *sa, void *v) 281 { 282 if (sa->sa_family == AF_INET && 283 sa->sa_len == sizeof(struct sockaddr_in)) 284 ipsec4_common_ctlinput(cmd, sa, v, IPPROTO_ESP); 285 } 286 287 int 288 ipcomp4_input(struct mbuf **mp, int *offp, int proto) 289 { 290 struct mbuf *m; 291 int off; 292 293 m = *mp; 294 off = *offp; 295 mp = NULL; 296 297 ipsec_common_input(m, off, offsetof(struct ip, ip_p), 298 AF_INET, IPPROTO_IPCOMP); 299 return (IPPROTO_DONE); 300 } 301 302 /* 303 * IPsec input callback for INET protocols. 304 * This routine is called as the transform callback. 305 * Takes care of filtering and other sanity checks on 306 * the processed packet. 307 */ 308 int 309 ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, 310 int protoff) 311 { 312 char buf[INET6_ADDRSTRLEN]; 313 struct ipsec_ctx_data ctx; 314 int prot, af, sproto, isr_prot; 315 struct ip *ip; 316 struct m_tag *mtag; 317 struct tdb_ident *tdbi; 318 struct secasindex *saidx; 319 int error; 320 #ifdef INET6 321 #ifdef notyet 322 char ip6buf[INET6_ADDRSTRLEN]; 323 #endif 324 #endif 325 326 IPSEC_ASSERT(m != NULL, ("null mbuf")); 327 IPSEC_ASSERT(sav != NULL, ("null SA")); 328 IPSEC_ASSERT(sav->sah != NULL, ("null SAH")); 329 saidx = &sav->sah->saidx; 330 af = saidx->dst.sa.sa_family; 331 IPSEC_ASSERT(af == AF_INET, ("unexpected af %u", af)); 332 sproto = saidx->proto; 333 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 334 sproto == IPPROTO_IPCOMP, 335 ("unexpected security protocol %u", sproto)); 336 337 if (skip != 0) { 338 /* 339 * Fix IPv4 header 340 * XXXGL: do we need this entire block? 341 */ 342 if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) { 343 DPRINTF(("%s: processing failed for SA %s/%08lx\n", 344 __func__, ipsec_address(&sav->sah->saidx.dst, 345 buf, sizeof(buf)), (u_long) ntohl(sav->spi))); 346 IPSEC_ISTAT(sproto, hdrops); 347 error = ENOBUFS; 348 goto bad; 349 } 350 351 ip = mtod(m, struct ip *); 352 ip->ip_len = htons(m->m_pkthdr.len); 353 ip->ip_sum = 0; 354 ip->ip_sum = in_cksum(m, ip->ip_hl << 2); 355 } else { 356 ip = mtod(m, struct ip *); 357 } 358 prot = ip->ip_p; 359 360 IPSEC_INIT_CTX(&ctx, &m, sav, AF_INET, IPSEC_ENC_BEFORE); 361 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) 362 goto bad; 363 ip = mtod(m, struct ip *); 364 365 /* IP-in-IP encapsulation */ 366 if (prot == IPPROTO_IPIP && 367 saidx->mode != IPSEC_MODE_TRANSPORT) { 368 369 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { 370 IPSEC_ISTAT(sproto, hdrops); 371 error = EINVAL; 372 goto bad; 373 } 374 /* enc0: strip outer IPv4 header */ 375 m_striphdr(m, 0, ip->ip_hl << 2); 376 377 #ifdef notyet 378 /* XXX PROXY address isn't recorded in SAH */ 379 /* 380 * Check that the inner source address is the same as 381 * the proxy address, if available. 382 */ 383 if ((saidx->proxy.sa.sa_family == AF_INET && 384 saidx->proxy.sin.sin_addr.s_addr != 385 INADDR_ANY && 386 ipn.ip_src.s_addr != 387 saidx->proxy.sin.sin_addr.s_addr) || 388 (saidx->proxy.sa.sa_family != AF_INET && 389 saidx->proxy.sa.sa_family != 0)) { 390 391 DPRINTF(("%s: inner source address %s doesn't " 392 "correspond to expected proxy source %s, " 393 "SA %s/%08lx\n", __func__, 394 inet_ntoa4(ipn.ip_src), 395 ipsp_address(saidx->proxy), 396 ipsp_address(saidx->dst), 397 (u_long) ntohl(sav->spi))); 398 399 IPSEC_ISTAT(sproto, pdrops); 400 error = EACCES; 401 goto bad; 402 } 403 #endif /* notyet */ 404 } 405 #ifdef INET6 406 /* IPv6-in-IP encapsulation. */ 407 else if (prot == IPPROTO_IPV6 && 408 saidx->mode != IPSEC_MODE_TRANSPORT) { 409 410 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { 411 IPSEC_ISTAT(sproto, hdrops); 412 error = EINVAL; 413 goto bad; 414 } 415 /* enc0: strip IPv4 header, keep IPv6 header only */ 416 m_striphdr(m, 0, ip->ip_hl << 2); 417 #ifdef notyet 418 /* 419 * Check that the inner source address is the same as 420 * the proxy address, if available. 421 */ 422 if ((saidx->proxy.sa.sa_family == AF_INET6 && 423 !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) && 424 !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src, 425 &saidx->proxy.sin6.sin6_addr)) || 426 (saidx->proxy.sa.sa_family != AF_INET6 && 427 saidx->proxy.sa.sa_family != 0)) { 428 429 DPRINTF(("%s: inner source address %s doesn't " 430 "correspond to expected proxy source %s, " 431 "SA %s/%08lx\n", __func__, 432 ip6_sprintf(ip6buf, &ip6n.ip6_src), 433 ipsec_address(&saidx->proxy), 434 ipsec_address(&saidx->dst), 435 (u_long) ntohl(sav->spi))); 436 437 IPSEC_ISTAT(sproto, pdrops); 438 error = EACCES; 439 goto bad; 440 } 441 #endif /* notyet */ 442 } 443 #endif /* INET6 */ 444 else if (prot != IPPROTO_IPV6 && saidx->mode == IPSEC_MODE_ANY) { 445 /* 446 * When mode is wildcard, inner protocol is IPv6 and 447 * we have no INET6 support - drop this packet a bit later. 448 * In other cases we assume transport mode and outer 449 * header was already stripped in xform_xxx_cb. 450 */ 451 prot = IPPROTO_IPIP; 452 } 453 454 /* 455 * Record what we've done to the packet (under what SA it was 456 * processed). 457 */ 458 if (sproto != IPPROTO_IPCOMP) { 459 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 460 sizeof(struct tdb_ident), M_NOWAIT); 461 if (mtag == NULL) { 462 DPRINTF(("%s: failed to get tag\n", __func__)); 463 IPSEC_ISTAT(sproto, hdrops); 464 error = ENOMEM; 465 goto bad; 466 } 467 468 tdbi = (struct tdb_ident *)(mtag + 1); 469 bcopy(&saidx->dst, &tdbi->dst, saidx->dst.sa.sa_len); 470 tdbi->proto = sproto; 471 tdbi->spi = sav->spi; 472 /* Cache those two for enc(4) in xform_ipip. */ 473 tdbi->alg_auth = sav->alg_auth; 474 tdbi->alg_enc = sav->alg_enc; 475 476 m_tag_prepend(m, mtag); 477 } 478 479 key_sa_recordxfer(sav, m); /* record data transfer */ 480 481 /* 482 * In transport mode requeue decrypted mbuf back to IPv4 protocol 483 * handler. This is necessary to correctly expose rcvif. 484 */ 485 if (saidx->mode == IPSEC_MODE_TRANSPORT) 486 prot = IPPROTO_IPIP; 487 /* 488 * Re-dispatch via software interrupt. 489 */ 490 switch (prot) { 491 case IPPROTO_IPIP: 492 isr_prot = NETISR_IP; 493 af = AF_INET; 494 break; 495 #ifdef INET6 496 case IPPROTO_IPV6: 497 isr_prot = NETISR_IPV6; 498 af = AF_INET6; 499 break; 500 #endif 501 default: 502 DPRINTF(("%s: cannot handle inner ip proto %d\n", 503 __func__, prot)); 504 IPSEC_ISTAT(sproto, nopf); 505 error = EPFNOSUPPORT; 506 goto bad; 507 } 508 509 IPSEC_INIT_CTX(&ctx, &m, sav, af, IPSEC_ENC_AFTER); 510 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) 511 goto bad; 512 error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m); 513 if (error) { 514 IPSEC_ISTAT(sproto, qfull); 515 DPRINTF(("%s: queue full; proto %u packet dropped\n", 516 __func__, sproto)); 517 return error; 518 } 519 return 0; 520 bad: 521 m_freem(m); 522 return error; 523 } 524 525 void 526 ipsec4_common_ctlinput(int cmd, struct sockaddr *sa, void *v, int proto) 527 { 528 /* XXX nothing just yet */ 529 } 530 #endif /* INET */ 531 532 #ifdef INET6 533 /* IPv6 AH wrapper. */ 534 int 535 ipsec6_common_input(struct mbuf **mp, int *offp, int proto) 536 { 537 int l = 0; 538 int protoff; 539 struct ip6_ext ip6e; 540 541 if (*offp < sizeof(struct ip6_hdr)) { 542 DPRINTF(("%s: bad offset %u\n", __func__, *offp)); 543 return IPPROTO_DONE; 544 } else if (*offp == sizeof(struct ip6_hdr)) { 545 protoff = offsetof(struct ip6_hdr, ip6_nxt); 546 } else { 547 /* Chase down the header chain... */ 548 protoff = sizeof(struct ip6_hdr); 549 550 do { 551 protoff += l; 552 m_copydata(*mp, protoff, sizeof(ip6e), 553 (caddr_t) &ip6e); 554 555 if (ip6e.ip6e_nxt == IPPROTO_AH) 556 l = (ip6e.ip6e_len + 2) << 2; 557 else 558 l = (ip6e.ip6e_len + 1) << 3; 559 IPSEC_ASSERT(l > 0, ("l went zero or negative")); 560 } while (protoff + l < *offp); 561 562 /* Malformed packet check */ 563 if (protoff + l != *offp) { 564 DPRINTF(("%s: bad packet header chain, protoff %u, " 565 "l %u, off %u\n", __func__, protoff, l, *offp)); 566 IPSEC_ISTAT(proto, hdrops); 567 m_freem(*mp); 568 *mp = NULL; 569 return IPPROTO_DONE; 570 } 571 protoff += offsetof(struct ip6_ext, ip6e_nxt); 572 } 573 (void) ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto); 574 return IPPROTO_DONE; 575 } 576 577 /* 578 * IPsec input callback, called by the transform callback. Takes care of 579 * filtering and other sanity checks on the processed packet. 580 */ 581 int 582 ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, 583 int protoff) 584 { 585 char buf[INET6_ADDRSTRLEN]; 586 struct ipsec_ctx_data ctx; 587 int prot, af, sproto; 588 struct ip6_hdr *ip6; 589 struct m_tag *mtag; 590 struct tdb_ident *tdbi; 591 struct secasindex *saidx; 592 int nxt, isr_prot; 593 u_int8_t nxt8; 594 int error, nest; 595 #ifdef notyet 596 char ip6buf[INET6_ADDRSTRLEN]; 597 #endif 598 599 IPSEC_ASSERT(m != NULL, ("null mbuf")); 600 IPSEC_ASSERT(sav != NULL, ("null SA")); 601 IPSEC_ASSERT(sav->sah != NULL, ("null SAH")); 602 saidx = &sav->sah->saidx; 603 af = saidx->dst.sa.sa_family; 604 IPSEC_ASSERT(af == AF_INET6, ("unexpected af %u", af)); 605 sproto = saidx->proto; 606 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 607 sproto == IPPROTO_IPCOMP, 608 ("unexpected security protocol %u", sproto)); 609 610 /* Fix IPv6 header */ 611 if (m->m_len < sizeof(struct ip6_hdr) && 612 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 613 614 DPRINTF(("%s: processing failed for SA %s/%08lx\n", 615 __func__, ipsec_address(&sav->sah->saidx.dst, buf, 616 sizeof(buf)), (u_long) ntohl(sav->spi))); 617 618 IPSEC_ISTAT(sproto, hdrops); 619 error = EACCES; 620 goto bad; 621 } 622 623 ip6 = mtod(m, struct ip6_hdr *); 624 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr)); 625 626 IPSEC_INIT_CTX(&ctx, &m, sav, af, IPSEC_ENC_BEFORE); 627 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) 628 goto bad; 629 /* Save protocol */ 630 m_copydata(m, protoff, 1, &nxt8); 631 prot = nxt8; 632 633 /* IPv6-in-IP encapsulation */ 634 if (prot == IPPROTO_IPV6 && 635 saidx->mode != IPSEC_MODE_TRANSPORT) { 636 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { 637 IPSEC_ISTAT(sproto, hdrops); 638 error = EINVAL; 639 goto bad; 640 } 641 /* ip6n will now contain the inner IPv6 header. */ 642 m_striphdr(m, 0, skip); 643 skip = 0; 644 #ifdef notyet 645 /* 646 * Check that the inner source address is the same as 647 * the proxy address, if available. 648 */ 649 if ((saidx->proxy.sa.sa_family == AF_INET6 && 650 !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) && 651 !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src, 652 &saidx->proxy.sin6.sin6_addr)) || 653 (saidx->proxy.sa.sa_family != AF_INET6 && 654 saidx->proxy.sa.sa_family != 0)) { 655 656 DPRINTF(("%s: inner source address %s doesn't " 657 "correspond to expected proxy source %s, " 658 "SA %s/%08lx\n", __func__, 659 ip6_sprintf(ip6buf, &ip6n.ip6_src), 660 ipsec_address(&saidx->proxy), 661 ipsec_address(&saidx->dst), 662 (u_long) ntohl(sav->spi))); 663 664 IPSEC_ISTAT(sproto, pdrops); 665 error = EACCES; 666 goto bad; 667 } 668 #endif /* notyet */ 669 } 670 #ifdef INET 671 /* IP-in-IP encapsulation */ 672 else if (prot == IPPROTO_IPIP && 673 saidx->mode != IPSEC_MODE_TRANSPORT) { 674 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { 675 IPSEC_ISTAT(sproto, hdrops); 676 error = EINVAL; 677 goto bad; 678 } 679 /* ipn will now contain the inner IPv4 header */ 680 m_striphdr(m, 0, skip); 681 skip = 0; 682 #ifdef notyet 683 /* 684 * Check that the inner source address is the same as 685 * the proxy address, if available. 686 */ 687 if ((saidx->proxy.sa.sa_family == AF_INET && 688 saidx->proxy.sin.sin_addr.s_addr != INADDR_ANY && 689 ipn.ip_src.s_addr != saidx->proxy.sin.sin_addr.s_addr) || 690 (saidx->proxy.sa.sa_family != AF_INET && 691 saidx->proxy.sa.sa_family != 0)) { 692 693 DPRINTF(("%s: inner source address %s doesn't " 694 "correspond to expected proxy source %s, " 695 "SA %s/%08lx\n", __func__, 696 inet_ntoa4(ipn.ip_src), 697 ipsec_address(&saidx->proxy), 698 ipsec_address(&saidx->dst), 699 (u_long) ntohl(sav->spi))); 700 701 IPSEC_ISTAT(sproto, pdrops); 702 error = EACCES; 703 goto bad; 704 } 705 #endif /* notyet */ 706 } 707 #endif /* INET */ 708 else { 709 prot = IPPROTO_IPV6; /* for correct BPF processing */ 710 } 711 712 /* 713 * Record what we've done to the packet (under what SA it was 714 * processed). 715 */ 716 if (sproto != IPPROTO_IPCOMP) { 717 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 718 sizeof(struct tdb_ident), M_NOWAIT); 719 if (mtag == NULL) { 720 DPRINTF(("%s: failed to get tag\n", __func__)); 721 IPSEC_ISTAT(sproto, hdrops); 722 error = ENOMEM; 723 goto bad; 724 } 725 726 tdbi = (struct tdb_ident *)(mtag + 1); 727 bcopy(&saidx->dst, &tdbi->dst, sizeof(union sockaddr_union)); 728 tdbi->proto = sproto; 729 tdbi->spi = sav->spi; 730 /* Cache those two for enc(4) in xform_ipip. */ 731 tdbi->alg_auth = sav->alg_auth; 732 tdbi->alg_enc = sav->alg_enc; 733 734 m_tag_prepend(m, mtag); 735 } 736 737 key_sa_recordxfer(sav, m); 738 739 740 #ifdef INET 741 if (prot == IPPROTO_IPIP) 742 af = AF_INET; 743 else 744 #endif 745 af = AF_INET6; 746 IPSEC_INIT_CTX(&ctx, &m, sav, af, IPSEC_ENC_AFTER); 747 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) 748 goto bad; 749 if (skip == 0) { 750 /* 751 * We stripped outer IPv6 header. 752 * Now we should requeue decrypted packet via netisr. 753 */ 754 switch (prot) { 755 #ifdef INET 756 case IPPROTO_IPIP: 757 isr_prot = NETISR_IP; 758 break; 759 #endif 760 case IPPROTO_IPV6: 761 isr_prot = NETISR_IPV6; 762 break; 763 default: 764 DPRINTF(("%s: cannot handle inner ip proto %d\n", 765 __func__, prot)); 766 IPSEC_ISTAT(sproto, nopf); 767 error = EPFNOSUPPORT; 768 goto bad; 769 } 770 error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m); 771 if (error) { 772 IPSEC_ISTAT(sproto, qfull); 773 DPRINTF(("%s: queue full; proto %u packet dropped\n", 774 __func__, sproto)); 775 } 776 return (error); 777 } 778 /* 779 * See the end of ip6_input for this logic. 780 * IPPROTO_IPV[46] case will be processed just like other ones 781 */ 782 nest = 0; 783 nxt = nxt8; 784 while (nxt != IPPROTO_DONE) { 785 if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) { 786 IP6STAT_INC(ip6s_toomanyhdr); 787 error = EINVAL; 788 goto bad; 789 } 790 791 /* 792 * Protection against faulty packet - there should be 793 * more sanity checks in header chain processing. 794 */ 795 if (m->m_pkthdr.len < skip) { 796 IP6STAT_INC(ip6s_tooshort); 797 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 798 error = EINVAL; 799 goto bad; 800 } 801 /* 802 * Enforce IPsec policy checking if we are seeing last header. 803 * note that we do not visit this with protocols with pcb layer 804 * code - like udp/tcp/raw ip. 805 */ 806 if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && 807 ipsec6_in_reject(m, NULL)) { 808 error = EINVAL; 809 goto bad; 810 } 811 nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &skip, nxt); 812 } 813 return 0; 814 bad: 815 if (m) 816 m_freem(m); 817 return error; 818 } 819 820 void 821 esp6_ctlinput(int cmd, struct sockaddr *sa, void *d) 822 { 823 struct ip6ctlparam *ip6cp = NULL; 824 struct mbuf *m = NULL; 825 struct ip6_hdr *ip6; 826 int off; 827 828 if (sa->sa_family != AF_INET6 || 829 sa->sa_len != sizeof(struct sockaddr_in6)) 830 return; 831 if ((unsigned)cmd >= PRC_NCMDS) 832 return; 833 834 /* if the parameter is from icmp6, decode it. */ 835 if (d != NULL) { 836 ip6cp = (struct ip6ctlparam *)d; 837 m = ip6cp->ip6c_m; 838 ip6 = ip6cp->ip6c_ip6; 839 off = ip6cp->ip6c_off; 840 } else { 841 m = NULL; 842 ip6 = NULL; 843 off = 0; /* calm gcc */ 844 } 845 846 if (ip6 != NULL) { 847 848 struct ip6ctlparam ip6cp1; 849 850 /* 851 * Notify the error to all possible sockets via pfctlinput2. 852 * Since the upper layer information (such as protocol type, 853 * source and destination ports) is embedded in the encrypted 854 * data and might have been cut, we can't directly call 855 * an upper layer ctlinput function. However, the pcbnotify 856 * function will consider source and destination addresses 857 * as well as the flow info value, and may be able to find 858 * some PCB that should be notified. 859 * Although pfctlinput2 will call esp6_ctlinput(), there is 860 * no possibility of an infinite loop of function calls, 861 * because we don't pass the inner IPv6 header. 862 */ 863 bzero(&ip6cp1, sizeof(ip6cp1)); 864 ip6cp1.ip6c_src = ip6cp->ip6c_src; 865 pfctlinput2(cmd, sa, (void *)&ip6cp1); 866 867 /* 868 * Then go to special cases that need ESP header information. 869 * XXX: We assume that when ip6 is non NULL, 870 * M and OFF are valid. 871 */ 872 873 if (cmd == PRC_MSGSIZE) { 874 struct secasvar *sav; 875 u_int32_t spi; 876 int valid; 877 878 /* check header length before using m_copydata */ 879 if (m->m_pkthdr.len < off + sizeof (struct esp)) 880 return; 881 m_copydata(m, off + offsetof(struct esp, esp_spi), 882 sizeof(u_int32_t), (caddr_t) &spi); 883 /* 884 * Check to see if we have a valid SA corresponding to 885 * the address in the ICMP message payload. 886 */ 887 sav = KEY_ALLOCSA((union sockaddr_union *)sa, 888 IPPROTO_ESP, spi); 889 valid = (sav != NULL); 890 if (sav) 891 KEY_FREESAV(&sav); 892 893 /* XXX Further validation? */ 894 895 /* 896 * Depending on whether the SA is "valid" and 897 * routing table size (mtudisc_{hi,lo}wat), we will: 898 * - recalcurate the new MTU and create the 899 * corresponding routing entry, or 900 * - ignore the MTU change notification. 901 */ 902 icmp6_mtudisc_update(ip6cp, valid); 903 } 904 } else { 905 /* we normally notify any pcb here */ 906 } 907 } 908 #endif /* INET6 */ 909