1 /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ 2 /*- 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 8 * in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001, Angelos D. Keromytis. 21 * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org> 22 * 23 * Permission to use, copy, and modify this software with or without fee 24 * is hereby granted, provided that this entire notice is included in 25 * all copies of any software which is or includes a copy or 26 * modification of this software. 27 * You may use this code under the GNU public license if you so wish. Please 28 * contribute changes back to the authors under this freer than GPL license 29 * so that we may further the use of strong encryption without limitations to 30 * all. 31 * 32 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 33 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 34 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 35 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 36 * PURPOSE. 37 */ 38 39 /* 40 * IPsec input processing. 41 */ 42 43 #include <sys/cdefs.h> 44 __FBSDID("$FreeBSD$"); 45 46 #include "opt_inet.h" 47 #include "opt_inet6.h" 48 #include "opt_ipsec.h" 49 50 #include <sys/param.h> 51 #include <sys/systm.h> 52 #include <sys/malloc.h> 53 #include <sys/mbuf.h> 54 #include <sys/domain.h> 55 #include <sys/protosw.h> 56 #include <sys/socket.h> 57 #include <sys/errno.h> 58 #include <sys/hhook.h> 59 #include <sys/syslog.h> 60 61 #include <net/if.h> 62 #include <net/if_var.h> 63 #include <net/if_enc.h> 64 #include <net/netisr.h> 65 #include <net/vnet.h> 66 67 #include <netinet/in.h> 68 #include <netinet/in_systm.h> 69 #include <netinet/ip.h> 70 #include <netinet/ip_var.h> 71 #include <netinet/ip_icmp.h> 72 #include <netinet/in_var.h> 73 #include <netinet/tcp_var.h> 74 75 #include <netinet/ip6.h> 76 #ifdef INET6 77 #include <netinet6/ip6_var.h> 78 #endif 79 #include <netinet/in_pcb.h> 80 #ifdef INET6 81 #include <netinet/icmp6.h> 82 #endif 83 84 #include <netipsec/ipsec.h> 85 #ifdef INET6 86 #include <netipsec/ipsec6.h> 87 #endif 88 #include <netipsec/ah_var.h> 89 #include <netipsec/esp.h> 90 #include <netipsec/esp_var.h> 91 #include <netipsec/ipcomp_var.h> 92 93 #include <netipsec/key.h> 94 #include <netipsec/keydb.h> 95 #include <netipsec/key_debug.h> 96 97 #include <netipsec/xform.h> 98 #include <netinet6/ip6protosw.h> 99 100 #include <machine/in_cksum.h> 101 #include <machine/stdarg.h> 102 103 #define IPSEC_ISTAT(proto, name) do { \ 104 if ((proto) == IPPROTO_ESP) \ 105 ESPSTAT_INC(esps_##name); \ 106 else if ((proto) == IPPROTO_AH) \ 107 AHSTAT_INC(ahs_##name); \ 108 else \ 109 IPCOMPSTAT_INC(ipcomps_##name); \ 110 } while (0) 111 112 /* 113 * ipsec_common_input gets called when an IPsec-protected packet 114 * is received by IPv4 or IPv6. Its job is to find the right SA 115 * and call the appropriate transform. The transform callback 116 * takes care of further processing (like ingress filtering). 117 */ 118 static int 119 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) 120 { 121 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]); 122 union sockaddr_union dst_address; 123 struct secasvar *sav; 124 uint32_t spi; 125 int error; 126 127 IPSEC_ISTAT(sproto, input); 128 129 IPSEC_ASSERT(m != NULL, ("null packet")); 130 131 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 132 sproto == IPPROTO_IPCOMP, 133 ("unexpected security protocol %u", sproto)); 134 135 if ((sproto == IPPROTO_ESP && !V_esp_enable) || 136 (sproto == IPPROTO_AH && !V_ah_enable) || 137 (sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) { 138 m_freem(m); 139 IPSEC_ISTAT(sproto, pdrops); 140 return EOPNOTSUPP; 141 } 142 143 if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) { 144 m_freem(m); 145 IPSEC_ISTAT(sproto, hdrops); 146 DPRINTF(("%s: packet too small\n", __func__)); 147 return EINVAL; 148 } 149 150 /* Retrieve the SPI from the relevant IPsec header */ 151 if (sproto == IPPROTO_ESP) 152 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi); 153 else if (sproto == IPPROTO_AH) 154 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 155 (caddr_t) &spi); 156 else if (sproto == IPPROTO_IPCOMP) { 157 u_int16_t cpi; 158 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t), 159 (caddr_t) &cpi); 160 spi = ntohl(htons(cpi)); 161 } 162 163 /* 164 * Find the SA and (indirectly) call the appropriate 165 * kernel crypto routine. The resulting mbuf chain is a valid 166 * IP packet ready to go through input processing. 167 */ 168 bzero(&dst_address, sizeof (dst_address)); 169 dst_address.sa.sa_family = af; 170 switch (af) { 171 #ifdef INET 172 case AF_INET: 173 dst_address.sin.sin_len = sizeof(struct sockaddr_in); 174 m_copydata(m, offsetof(struct ip, ip_dst), 175 sizeof(struct in_addr), 176 (caddr_t) &dst_address.sin.sin_addr); 177 break; 178 #endif /* INET */ 179 #ifdef INET6 180 case AF_INET6: 181 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6); 182 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 183 sizeof(struct in6_addr), 184 (caddr_t) &dst_address.sin6.sin6_addr); 185 /* We keep addresses in SADB without embedded scope id */ 186 if (IN6_IS_SCOPE_LINKLOCAL(&dst_address.sin6.sin6_addr)) { 187 /* XXX: sa6_recoverscope() */ 188 dst_address.sin6.sin6_scope_id = 189 ntohs(dst_address.sin6.sin6_addr.s6_addr16[1]); 190 dst_address.sin6.sin6_addr.s6_addr16[1] = 0; 191 } 192 break; 193 #endif /* INET6 */ 194 default: 195 DPRINTF(("%s: unsupported protocol family %u\n", __func__, af)); 196 m_freem(m); 197 IPSEC_ISTAT(sproto, nopf); 198 return EPFNOSUPPORT; 199 } 200 201 /* NB: only pass dst since key_allocsa follows RFC2401 */ 202 sav = key_allocsa(&dst_address, sproto, spi); 203 if (sav == NULL) { 204 DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n", 205 __func__, ipsec_address(&dst_address, buf, sizeof(buf)), 206 (u_long) ntohl(spi), sproto)); 207 IPSEC_ISTAT(sproto, notdb); 208 m_freem(m); 209 return ENOENT; 210 } 211 212 if (sav->tdb_xform == NULL) { 213 DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n", 214 __func__, ipsec_address(&dst_address, buf, sizeof(buf)), 215 (u_long) ntohl(spi), sproto)); 216 IPSEC_ISTAT(sproto, noxform); 217 key_freesav(&sav); 218 m_freem(m); 219 return ENXIO; 220 } 221 222 /* 223 * Call appropriate transform and return -- callback takes care of 224 * everything else. 225 */ 226 error = (*sav->tdb_xform->xf_input)(m, sav, skip, protoff); 227 return (error); 228 } 229 230 #ifdef INET 231 extern struct protosw inetsw[]; 232 233 /* 234 * IPSEC_INPUT() method implementation for IPv4. 235 * 0 - Permitted by inbound security policy for further processing. 236 * EACCES - Forbidden by inbound security policy. 237 * EINPROGRESS - consumed by IPsec. 238 */ 239 int 240 ipsec4_input(struct mbuf *m, int offset, int proto) 241 { 242 243 switch (proto) { 244 case IPPROTO_AH: 245 case IPPROTO_ESP: 246 case IPPROTO_IPCOMP: 247 /* Do inbound IPsec processing for AH/ESP/IPCOMP */ 248 ipsec_common_input(m, offset, 249 offsetof(struct ip, ip_p), AF_INET, proto); 250 return (EINPROGRESS); /* mbuf consumed by IPsec */ 251 default: 252 /* 253 * Protocols with further headers get their IPsec treatment 254 * within the protocol specific processing. 255 */ 256 if ((inetsw[ip_protox[proto]].pr_flags & PR_LASTHDR) == 0) 257 return (0); 258 /* FALLTHROUGH */ 259 }; 260 /* 261 * Enforce IPsec policy checking if we are seeing last header. 262 */ 263 if (ipsec4_in_reject(m, NULL) != 0) { 264 /* Forbidden by inbound security policy */ 265 m_freem(m); 266 return (EACCES); 267 } 268 return (0); 269 } 270 271 int 272 ipsec4_ctlinput(int code, struct sockaddr *sa, void *v) 273 { 274 struct in_conninfo inc; 275 struct secasvar *sav; 276 struct icmp *icp; 277 struct ip *ip = v; 278 uint32_t pmtu, spi; 279 uint32_t max_pmtu; 280 uint8_t proto; 281 282 if (code != PRC_MSGSIZE || ip == NULL) 283 return (EINVAL); 284 if (sa->sa_family != AF_INET || 285 sa->sa_len != sizeof(struct sockaddr_in)) 286 return (EAFNOSUPPORT); 287 288 icp = __containerof(ip, struct icmp, icmp_ip); 289 pmtu = ntohs(icp->icmp_nextmtu); 290 291 if (pmtu < V_ip4_ipsec_min_pmtu) 292 return (EINVAL); 293 294 proto = ip->ip_p; 295 if (proto != IPPROTO_ESP && proto != IPPROTO_AH && 296 proto != IPPROTO_IPCOMP) 297 return (EINVAL); 298 299 memcpy(&spi, (caddr_t)ip + (ip->ip_hl << 2), sizeof(spi)); 300 sav = key_allocsa((union sockaddr_union *)sa, proto, spi); 301 if (sav == NULL) 302 return (ENOENT); 303 304 key_freesav(&sav); 305 306 memset(&inc, 0, sizeof(inc)); 307 inc.inc_faddr = satosin(sa)->sin_addr; 308 309 /* Update pmtu only if its smaller than the current one. */ 310 max_pmtu = tcp_hc_getmtu(&inc); 311 if (max_pmtu == 0) 312 max_pmtu = tcp_maxmtu(&inc, NULL); 313 314 if (pmtu < max_pmtu) 315 tcp_hc_updatemtu(&inc, pmtu); 316 317 return (0); 318 } 319 320 /* 321 * IPsec input callback for INET protocols. 322 * This routine is called as the transform callback. 323 * Takes care of filtering and other sanity checks on 324 * the processed packet. 325 */ 326 int 327 ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, 328 int protoff) 329 { 330 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]); 331 struct epoch_tracker et; 332 struct ipsec_ctx_data ctx; 333 struct xform_history *xh; 334 struct secasindex *saidx; 335 struct m_tag *mtag; 336 struct ip *ip; 337 int error, prot, af, sproto, isr_prot; 338 339 IPSEC_ASSERT(sav != NULL, ("null SA")); 340 IPSEC_ASSERT(sav->sah != NULL, ("null SAH")); 341 saidx = &sav->sah->saidx; 342 af = saidx->dst.sa.sa_family; 343 IPSEC_ASSERT(af == AF_INET, ("unexpected af %u", af)); 344 sproto = saidx->proto; 345 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 346 sproto == IPPROTO_IPCOMP, 347 ("unexpected security protocol %u", sproto)); 348 349 if (skip != 0) { 350 /* 351 * Fix IPv4 header 352 */ 353 if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) { 354 DPRINTF(("%s: processing failed for SA %s/%08lx\n", 355 __func__, ipsec_address(&sav->sah->saidx.dst, 356 buf, sizeof(buf)), (u_long) ntohl(sav->spi))); 357 IPSEC_ISTAT(sproto, hdrops); 358 error = ENOBUFS; 359 goto bad_noepoch; 360 } 361 362 ip = mtod(m, struct ip *); 363 ip->ip_len = htons(m->m_pkthdr.len); 364 ip->ip_sum = 0; 365 ip->ip_sum = in_cksum(m, ip->ip_hl << 2); 366 } else { 367 ip = mtod(m, struct ip *); 368 } 369 prot = ip->ip_p; 370 /* 371 * Check that we have NAT-T enabled and apply transport mode 372 * decapsulation NAT procedure (RFC3948). 373 * Do this before invoking into the PFIL. 374 */ 375 if (sav->natt != NULL && 376 (prot == IPPROTO_UDP || prot == IPPROTO_TCP)) 377 udp_ipsec_adjust_cksum(m, sav, prot, skip); 378 379 /* 380 * Needed for ipsec_run_hooks and netisr_queue_src 381 */ 382 NET_EPOCH_ENTER(et); 383 384 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, AF_INET, IPSEC_ENC_BEFORE); 385 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) 386 goto bad; 387 ip = mtod(m, struct ip *); /* update pointer */ 388 389 /* IP-in-IP encapsulation */ 390 if (prot == IPPROTO_IPIP && 391 saidx->mode != IPSEC_MODE_TRANSPORT) { 392 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { 393 IPSEC_ISTAT(sproto, hdrops); 394 error = EINVAL; 395 goto bad; 396 } 397 /* enc0: strip outer IPv4 header */ 398 m_striphdr(m, 0, ip->ip_hl << 2); 399 } 400 #ifdef INET6 401 /* IPv6-in-IP encapsulation. */ 402 else if (prot == IPPROTO_IPV6 && 403 saidx->mode != IPSEC_MODE_TRANSPORT) { 404 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { 405 IPSEC_ISTAT(sproto, hdrops); 406 error = EINVAL; 407 goto bad; 408 } 409 /* enc0: strip IPv4 header, keep IPv6 header only */ 410 m_striphdr(m, 0, ip->ip_hl << 2); 411 } 412 #endif /* INET6 */ 413 else if (prot != IPPROTO_IPV6 && saidx->mode == IPSEC_MODE_ANY) { 414 /* 415 * When mode is wildcard, inner protocol is IPv6 and 416 * we have no INET6 support - drop this packet a bit later. 417 * In other cases we assume transport mode. Set prot to 418 * correctly choose netisr. 419 */ 420 prot = IPPROTO_IPIP; 421 } 422 423 /* 424 * Record what we've done to the packet (under what SA it was 425 * processed). 426 */ 427 if (sproto != IPPROTO_IPCOMP) { 428 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 429 sizeof(struct xform_history), M_NOWAIT); 430 if (mtag == NULL) { 431 DPRINTF(("%s: failed to get tag\n", __func__)); 432 IPSEC_ISTAT(sproto, hdrops); 433 error = ENOMEM; 434 goto bad; 435 } 436 437 xh = (struct xform_history *)(mtag + 1); 438 bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len); 439 xh->spi = sav->spi; 440 xh->proto = sproto; 441 xh->mode = saidx->mode; 442 m_tag_prepend(m, mtag); 443 } 444 445 key_sa_recordxfer(sav, m); /* record data transfer */ 446 447 /* 448 * In transport mode requeue decrypted mbuf back to IPv4 protocol 449 * handler. This is necessary to correctly expose rcvif. 450 */ 451 if (saidx->mode == IPSEC_MODE_TRANSPORT) 452 prot = IPPROTO_IPIP; 453 /* 454 * Re-dispatch via software interrupt. 455 */ 456 switch (prot) { 457 case IPPROTO_IPIP: 458 isr_prot = NETISR_IP; 459 af = AF_INET; 460 break; 461 #ifdef INET6 462 case IPPROTO_IPV6: 463 isr_prot = NETISR_IPV6; 464 af = AF_INET6; 465 break; 466 #endif 467 default: 468 DPRINTF(("%s: cannot handle inner ip proto %d\n", 469 __func__, prot)); 470 IPSEC_ISTAT(sproto, nopf); 471 error = EPFNOSUPPORT; 472 goto bad; 473 } 474 475 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER); 476 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) 477 goto bad; 478 479 /* Handle virtual tunneling interfaces */ 480 if (saidx->mode == IPSEC_MODE_TUNNEL) 481 error = ipsec_if_input(m, sav, af); 482 if (error == 0) { 483 error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m); 484 if (error) { 485 IPSEC_ISTAT(sproto, qfull); 486 DPRINTF(("%s: queue full; proto %u packet dropped\n", 487 __func__, sproto)); 488 } 489 } 490 NET_EPOCH_EXIT(et); 491 key_freesav(&sav); 492 return (error); 493 bad: 494 NET_EPOCH_EXIT(et); 495 bad_noepoch: 496 key_freesav(&sav); 497 if (m != NULL) 498 m_freem(m); 499 return (error); 500 } 501 #endif /* INET */ 502 503 #ifdef INET6 504 /* 505 * IPSEC_INPUT() method implementation for IPv6. 506 * 0 - Permitted by inbound security policy for further processing. 507 * EACCES - Forbidden by inbound security policy. 508 * EINPROGRESS - consumed by IPsec. 509 */ 510 int 511 ipsec6_input(struct mbuf *m, int offset, int proto) 512 { 513 514 switch (proto) { 515 case IPPROTO_AH: 516 case IPPROTO_ESP: 517 case IPPROTO_IPCOMP: 518 /* Do inbound IPsec processing for AH/ESP/IPCOMP */ 519 ipsec_common_input(m, offset, 520 offsetof(struct ip6_hdr, ip6_nxt), AF_INET6, proto); 521 return (EINPROGRESS); /* mbuf consumed by IPsec */ 522 default: 523 /* 524 * Protocols with further headers get their IPsec treatment 525 * within the protocol specific processing. 526 */ 527 if ((inet6sw[ip6_protox[proto]].pr_flags & PR_LASTHDR) == 0) 528 return (0); 529 /* FALLTHROUGH */ 530 }; 531 /* 532 * Enforce IPsec policy checking if we are seeing last header. 533 */ 534 if (ipsec6_in_reject(m, NULL) != 0) { 535 /* Forbidden by inbound security policy */ 536 m_freem(m); 537 return (EACCES); 538 } 539 return (0); 540 } 541 542 int 543 ipsec6_ctlinput(int code, struct sockaddr *sa, void *v) 544 { 545 return (0); 546 } 547 548 /* 549 * IPsec input callback, called by the transform callback. Takes care of 550 * filtering and other sanity checks on the processed packet. 551 */ 552 int 553 ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, 554 int protoff) 555 { 556 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]); 557 struct epoch_tracker et; 558 struct ipsec_ctx_data ctx; 559 struct xform_history *xh; 560 struct secasindex *saidx; 561 struct ip6_hdr *ip6; 562 struct m_tag *mtag; 563 int prot, af, sproto; 564 int nxt, isr_prot; 565 int error, nest; 566 uint8_t nxt8; 567 568 IPSEC_ASSERT(sav != NULL, ("null SA")); 569 IPSEC_ASSERT(sav->sah != NULL, ("null SAH")); 570 saidx = &sav->sah->saidx; 571 af = saidx->dst.sa.sa_family; 572 IPSEC_ASSERT(af == AF_INET6, ("unexpected af %u", af)); 573 sproto = saidx->proto; 574 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 575 sproto == IPPROTO_IPCOMP, 576 ("unexpected security protocol %u", sproto)); 577 578 NET_EPOCH_ENTER(et); 579 580 /* Fix IPv6 header */ 581 if (m->m_len < sizeof(struct ip6_hdr) && 582 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 583 DPRINTF(("%s: processing failed for SA %s/%08lx\n", 584 __func__, ipsec_address(&sav->sah->saidx.dst, buf, 585 sizeof(buf)), (u_long) ntohl(sav->spi))); 586 587 IPSEC_ISTAT(sproto, hdrops); 588 error = EACCES; 589 goto bad; 590 } 591 592 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_BEFORE); 593 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) 594 goto bad; 595 596 ip6 = mtod(m, struct ip6_hdr *); 597 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr)); 598 599 /* Save protocol */ 600 m_copydata(m, protoff, 1, &nxt8); 601 prot = nxt8; 602 603 /* IPv6-in-IP encapsulation */ 604 if (prot == IPPROTO_IPV6 && 605 saidx->mode != IPSEC_MODE_TRANSPORT) { 606 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { 607 IPSEC_ISTAT(sproto, hdrops); 608 error = EINVAL; 609 goto bad; 610 } 611 /* ip6n will now contain the inner IPv6 header. */ 612 m_striphdr(m, 0, skip); 613 skip = 0; 614 } 615 #ifdef INET 616 /* IP-in-IP encapsulation */ 617 else if (prot == IPPROTO_IPIP && 618 saidx->mode != IPSEC_MODE_TRANSPORT) { 619 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { 620 IPSEC_ISTAT(sproto, hdrops); 621 error = EINVAL; 622 goto bad; 623 } 624 /* ipn will now contain the inner IPv4 header */ 625 m_striphdr(m, 0, skip); 626 skip = 0; 627 } 628 #endif /* INET */ 629 else { 630 prot = IPPROTO_IPV6; /* for correct BPF processing */ 631 } 632 633 /* 634 * Record what we've done to the packet (under what SA it was 635 * processed). 636 */ 637 if (sproto != IPPROTO_IPCOMP) { 638 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 639 sizeof(struct xform_history), M_NOWAIT); 640 if (mtag == NULL) { 641 DPRINTF(("%s: failed to get tag\n", __func__)); 642 IPSEC_ISTAT(sproto, hdrops); 643 error = ENOMEM; 644 goto bad; 645 } 646 647 xh = (struct xform_history *)(mtag + 1); 648 bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len); 649 xh->spi = sav->spi; 650 xh->proto = sproto; 651 xh->mode = saidx->mode; 652 m_tag_prepend(m, mtag); 653 } 654 655 key_sa_recordxfer(sav, m); 656 657 #ifdef INET 658 if (prot == IPPROTO_IPIP) 659 af = AF_INET; 660 else 661 #endif 662 af = AF_INET6; 663 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER); 664 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) 665 goto bad; 666 if (skip == 0) { 667 /* 668 * We stripped outer IPv6 header. 669 * Now we should requeue decrypted packet via netisr. 670 */ 671 switch (prot) { 672 #ifdef INET 673 case IPPROTO_IPIP: 674 isr_prot = NETISR_IP; 675 break; 676 #endif 677 case IPPROTO_IPV6: 678 isr_prot = NETISR_IPV6; 679 break; 680 default: 681 DPRINTF(("%s: cannot handle inner ip proto %d\n", 682 __func__, prot)); 683 IPSEC_ISTAT(sproto, nopf); 684 error = EPFNOSUPPORT; 685 goto bad; 686 } 687 /* Handle virtual tunneling interfaces */ 688 if (saidx->mode == IPSEC_MODE_TUNNEL) 689 error = ipsec_if_input(m, sav, af); 690 if (error == 0) { 691 error = netisr_queue_src(isr_prot, 692 (uintptr_t)sav->spi, m); 693 if (error) { 694 IPSEC_ISTAT(sproto, qfull); 695 DPRINTF(("%s: queue full; proto %u packet" 696 " dropped\n", __func__, sproto)); 697 } 698 } 699 NET_EPOCH_EXIT(et); 700 key_freesav(&sav); 701 return (error); 702 } 703 /* 704 * See the end of ip6_input for this logic. 705 * IPPROTO_IPV[46] case will be processed just like other ones 706 */ 707 nest = 0; 708 nxt = nxt8; 709 while (nxt != IPPROTO_DONE) { 710 if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) { 711 IP6STAT_INC(ip6s_toomanyhdr); 712 error = EINVAL; 713 goto bad; 714 } 715 716 /* 717 * Protection against faulty packet - there should be 718 * more sanity checks in header chain processing. 719 */ 720 if (m->m_pkthdr.len < skip) { 721 IP6STAT_INC(ip6s_tooshort); 722 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 723 error = EINVAL; 724 goto bad; 725 } 726 /* 727 * Enforce IPsec policy checking if we are seeing last header. 728 * note that we do not visit this with protocols with pcb layer 729 * code - like udp/tcp/raw ip. 730 */ 731 if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && 732 ipsec6_in_reject(m, NULL)) { 733 error = EINVAL; 734 goto bad; 735 } 736 nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &skip, nxt); 737 } 738 NET_EPOCH_EXIT(et); 739 key_freesav(&sav); 740 return (0); 741 bad: 742 NET_EPOCH_EXIT(et); 743 key_freesav(&sav); 744 if (m) 745 m_freem(m); 746 return (error); 747 } 748 #endif /* INET6 */ 749