1 /* $FreeBSD$ */ 2 /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ 3 /*- 4 * The authors of this code are John Ioannidis (ji@tla.org), 5 * Angelos D. Keromytis (kermit@csd.uch.gr) and 6 * Niels Provos (provos@physnet.uni-hamburg.de). 7 * 8 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 9 * in November 1995. 10 * 11 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 12 * by Angelos D. Keromytis. 13 * 14 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 15 * and Niels Provos. 16 * 17 * Additional features in 1999 by Angelos D. Keromytis. 18 * 19 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 20 * Angelos D. Keromytis and Niels Provos. 21 * Copyright (c) 2001, Angelos D. Keromytis. 22 * 23 * Permission to use, copy, and modify this software with or without fee 24 * is hereby granted, provided that this entire notice is included in 25 * all copies of any software which is or includes a copy or 26 * modification of this software. 27 * You may use this code under the GNU public license if you so wish. Please 28 * contribute changes back to the authors under this freer than GPL license 29 * so that we may further the use of strong encryption without limitations to 30 * all. 31 * 32 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 33 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 34 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 35 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 36 * PURPOSE. 37 */ 38 39 /* 40 * IPsec input processing. 41 */ 42 43 #include "opt_inet.h" 44 #include "opt_inet6.h" 45 #include "opt_ipsec.h" 46 47 #include <sys/param.h> 48 #include <sys/systm.h> 49 #include <sys/malloc.h> 50 #include <sys/mbuf.h> 51 #include <sys/domain.h> 52 #include <sys/protosw.h> 53 #include <sys/socket.h> 54 #include <sys/errno.h> 55 #include <sys/hhook.h> 56 #include <sys/syslog.h> 57 58 #include <net/if.h> 59 #include <net/if_var.h> 60 #include <net/if_enc.h> 61 #include <net/netisr.h> 62 #include <net/vnet.h> 63 64 #include <netinet/in.h> 65 #include <netinet/in_systm.h> 66 #include <netinet/ip.h> 67 #include <netinet/ip_var.h> 68 #include <netinet/in_var.h> 69 70 #include <netinet/ip6.h> 71 #ifdef INET6 72 #include <netinet6/ip6_var.h> 73 #endif 74 #include <netinet/in_pcb.h> 75 #ifdef INET6 76 #include <netinet/icmp6.h> 77 #endif 78 79 #include <netipsec/ipsec.h> 80 #ifdef INET6 81 #include <netipsec/ipsec6.h> 82 #endif 83 #include <netipsec/ah_var.h> 84 #include <netipsec/esp.h> 85 #include <netipsec/esp_var.h> 86 #include <netipsec/ipcomp_var.h> 87 88 #include <netipsec/key.h> 89 #include <netipsec/keydb.h> 90 91 #include <netipsec/xform.h> 92 #include <netinet6/ip6protosw.h> 93 94 #include <machine/in_cksum.h> 95 #include <machine/stdarg.h> 96 97 98 #define IPSEC_ISTAT(proto, name) do { \ 99 if ((proto) == IPPROTO_ESP) \ 100 ESPSTAT_INC(esps_##name); \ 101 else if ((proto) == IPPROTO_AH) \ 102 AHSTAT_INC(ahs_##name); \ 103 else \ 104 IPCOMPSTAT_INC(ipcomps_##name); \ 105 } while (0) 106 107 #ifdef INET 108 static void ipsec4_common_ctlinput(int, struct sockaddr *, void *, int); 109 #endif 110 111 /* 112 * ipsec_common_input gets called when an IPsec-protected packet 113 * is received by IPv4 or IPv6. Its job is to find the right SA 114 * and call the appropriate transform. The transform callback 115 * takes care of further processing (like ingress filtering). 116 */ 117 int 118 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) 119 { 120 char buf[INET6_ADDRSTRLEN]; 121 union sockaddr_union dst_address; 122 struct secasvar *sav; 123 u_int32_t spi; 124 int error; 125 #ifdef INET 126 #ifdef IPSEC_NAT_T 127 struct m_tag *tag; 128 #endif 129 #endif 130 131 IPSEC_ISTAT(sproto, input); 132 133 IPSEC_ASSERT(m != NULL, ("null packet")); 134 135 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 136 sproto == IPPROTO_IPCOMP, 137 ("unexpected security protocol %u", sproto)); 138 139 if ((sproto == IPPROTO_ESP && !V_esp_enable) || 140 (sproto == IPPROTO_AH && !V_ah_enable) || 141 (sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) { 142 m_freem(m); 143 IPSEC_ISTAT(sproto, pdrops); 144 return EOPNOTSUPP; 145 } 146 147 if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) { 148 m_freem(m); 149 IPSEC_ISTAT(sproto, hdrops); 150 DPRINTF(("%s: packet too small\n", __func__)); 151 return EINVAL; 152 } 153 154 /* Retrieve the SPI from the relevant IPsec header */ 155 if (sproto == IPPROTO_ESP) 156 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi); 157 else if (sproto == IPPROTO_AH) 158 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 159 (caddr_t) &spi); 160 else if (sproto == IPPROTO_IPCOMP) { 161 u_int16_t cpi; 162 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t), 163 (caddr_t) &cpi); 164 spi = ntohl(htons(cpi)); 165 } 166 167 /* 168 * Find the SA and (indirectly) call the appropriate 169 * kernel crypto routine. The resulting mbuf chain is a valid 170 * IP packet ready to go through input processing. 171 */ 172 bzero(&dst_address, sizeof (dst_address)); 173 dst_address.sa.sa_family = af; 174 switch (af) { 175 #ifdef INET 176 case AF_INET: 177 dst_address.sin.sin_len = sizeof(struct sockaddr_in); 178 m_copydata(m, offsetof(struct ip, ip_dst), 179 sizeof(struct in_addr), 180 (caddr_t) &dst_address.sin.sin_addr); 181 #ifdef IPSEC_NAT_T 182 /* Find the source port for NAT-T; see udp*_espdecap. */ 183 tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL); 184 if (tag != NULL) 185 dst_address.sin.sin_port = ((u_int16_t *)(tag + 1))[1]; 186 #endif /* IPSEC_NAT_T */ 187 break; 188 #endif /* INET */ 189 #ifdef INET6 190 case AF_INET6: 191 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6); 192 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 193 sizeof(struct in6_addr), 194 (caddr_t) &dst_address.sin6.sin6_addr); 195 /* We keep addresses in SADB without embedded scope id */ 196 if (IN6_IS_SCOPE_LINKLOCAL(&dst_address.sin6.sin6_addr)) { 197 /* XXX: sa6_recoverscope() */ 198 dst_address.sin6.sin6_scope_id = 199 ntohs(dst_address.sin6.sin6_addr.s6_addr16[1]); 200 dst_address.sin6.sin6_addr.s6_addr16[1] = 0; 201 } 202 break; 203 #endif /* INET6 */ 204 default: 205 DPRINTF(("%s: unsupported protocol family %u\n", __func__, af)); 206 m_freem(m); 207 IPSEC_ISTAT(sproto, nopf); 208 return EPFNOSUPPORT; 209 } 210 211 /* NB: only pass dst since key_allocsa follows RFC2401 */ 212 sav = KEY_ALLOCSA(&dst_address, sproto, spi); 213 if (sav == NULL) { 214 DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n", 215 __func__, ipsec_address(&dst_address, buf, sizeof(buf)), 216 (u_long) ntohl(spi), sproto)); 217 IPSEC_ISTAT(sproto, notdb); 218 m_freem(m); 219 return ENOENT; 220 } 221 222 if (sav->tdb_xform == NULL) { 223 DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n", 224 __func__, ipsec_address(&dst_address, buf, sizeof(buf)), 225 (u_long) ntohl(spi), sproto)); 226 IPSEC_ISTAT(sproto, noxform); 227 KEY_FREESAV(&sav); 228 m_freem(m); 229 return ENXIO; 230 } 231 232 /* 233 * Call appropriate transform and return -- callback takes care of 234 * everything else. 235 */ 236 error = (*sav->tdb_xform->xf_input)(m, sav, skip, protoff); 237 KEY_FREESAV(&sav); 238 return error; 239 } 240 241 #ifdef INET 242 int 243 ah4_input(struct mbuf **mp, int *offp, int proto) 244 { 245 struct mbuf *m; 246 int off; 247 248 m = *mp; 249 off = *offp; 250 *mp = NULL; 251 252 ipsec_common_input(m, off, offsetof(struct ip, ip_p), 253 AF_INET, IPPROTO_AH); 254 return (IPPROTO_DONE); 255 } 256 void 257 ah4_ctlinput(int cmd, struct sockaddr *sa, void *v) 258 { 259 if (sa->sa_family == AF_INET && 260 sa->sa_len == sizeof(struct sockaddr_in)) 261 ipsec4_common_ctlinput(cmd, sa, v, IPPROTO_AH); 262 } 263 264 int 265 esp4_input(struct mbuf **mp, int *offp, int proto) 266 { 267 struct mbuf *m; 268 int off; 269 270 m = *mp; 271 off = *offp; 272 mp = NULL; 273 274 ipsec_common_input(m, off, offsetof(struct ip, ip_p), 275 AF_INET, IPPROTO_ESP); 276 return (IPPROTO_DONE); 277 } 278 279 void 280 esp4_ctlinput(int cmd, struct sockaddr *sa, void *v) 281 { 282 if (sa->sa_family == AF_INET && 283 sa->sa_len == sizeof(struct sockaddr_in)) 284 ipsec4_common_ctlinput(cmd, sa, v, IPPROTO_ESP); 285 } 286 287 int 288 ipcomp4_input(struct mbuf **mp, int *offp, int proto) 289 { 290 struct mbuf *m; 291 int off; 292 293 m = *mp; 294 off = *offp; 295 mp = NULL; 296 297 ipsec_common_input(m, off, offsetof(struct ip, ip_p), 298 AF_INET, IPPROTO_IPCOMP); 299 return (IPPROTO_DONE); 300 } 301 302 /* 303 * IPsec input callback for INET protocols. 304 * This routine is called as the transform callback. 305 * Takes care of filtering and other sanity checks on 306 * the processed packet. 307 */ 308 int 309 ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, 310 int protoff) 311 { 312 char buf[INET6_ADDRSTRLEN]; 313 struct ipsec_ctx_data ctx; 314 int prot, af, sproto, isr_prot; 315 struct ip *ip; 316 struct m_tag *mtag; 317 struct tdb_ident *tdbi; 318 struct secasindex *saidx; 319 int error; 320 #ifdef INET6 321 #ifdef notyet 322 char ip6buf[INET6_ADDRSTRLEN]; 323 #endif 324 #endif 325 326 IPSEC_ASSERT(m != NULL, ("null mbuf")); 327 IPSEC_ASSERT(sav != NULL, ("null SA")); 328 IPSEC_ASSERT(sav->sah != NULL, ("null SAH")); 329 saidx = &sav->sah->saidx; 330 af = saidx->dst.sa.sa_family; 331 IPSEC_ASSERT(af == AF_INET, ("unexpected af %u", af)); 332 sproto = saidx->proto; 333 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 334 sproto == IPPROTO_IPCOMP, 335 ("unexpected security protocol %u", sproto)); 336 337 /* Sanity check */ 338 if (m == NULL) { 339 DPRINTF(("%s: null mbuf", __func__)); 340 IPSEC_ISTAT(sproto, badkcr); 341 KEY_FREESAV(&sav); 342 return EINVAL; 343 } 344 345 if (skip != 0) { 346 /* 347 * Fix IPv4 header 348 * XXXGL: do we need this entire block? 349 */ 350 if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) { 351 DPRINTF(("%s: processing failed for SA %s/%08lx\n", 352 __func__, ipsec_address(&sav->sah->saidx.dst, 353 buf, sizeof(buf)), (u_long) ntohl(sav->spi))); 354 IPSEC_ISTAT(sproto, hdrops); 355 error = ENOBUFS; 356 goto bad; 357 } 358 359 ip = mtod(m, struct ip *); 360 ip->ip_len = htons(m->m_pkthdr.len); 361 ip->ip_sum = 0; 362 ip->ip_sum = in_cksum(m, ip->ip_hl << 2); 363 } else { 364 ip = mtod(m, struct ip *); 365 } 366 prot = ip->ip_p; 367 368 IPSEC_INIT_CTX(&ctx, &m, sav, AF_INET, IPSEC_ENC_BEFORE); 369 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) 370 goto bad; 371 ip = mtod(m, struct ip *); 372 373 /* IP-in-IP encapsulation */ 374 if (prot == IPPROTO_IPIP && 375 saidx->mode != IPSEC_MODE_TRANSPORT) { 376 377 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { 378 IPSEC_ISTAT(sproto, hdrops); 379 error = EINVAL; 380 goto bad; 381 } 382 /* enc0: strip outer IPv4 header */ 383 m_striphdr(m, 0, ip->ip_hl << 2); 384 385 #ifdef notyet 386 /* XXX PROXY address isn't recorded in SAH */ 387 /* 388 * Check that the inner source address is the same as 389 * the proxy address, if available. 390 */ 391 if ((saidx->proxy.sa.sa_family == AF_INET && 392 saidx->proxy.sin.sin_addr.s_addr != 393 INADDR_ANY && 394 ipn.ip_src.s_addr != 395 saidx->proxy.sin.sin_addr.s_addr) || 396 (saidx->proxy.sa.sa_family != AF_INET && 397 saidx->proxy.sa.sa_family != 0)) { 398 399 DPRINTF(("%s: inner source address %s doesn't " 400 "correspond to expected proxy source %s, " 401 "SA %s/%08lx\n", __func__, 402 inet_ntoa4(ipn.ip_src), 403 ipsp_address(saidx->proxy), 404 ipsp_address(saidx->dst), 405 (u_long) ntohl(sav->spi))); 406 407 IPSEC_ISTAT(sproto, pdrops); 408 error = EACCES; 409 goto bad; 410 } 411 #endif /* notyet */ 412 } 413 #ifdef INET6 414 /* IPv6-in-IP encapsulation. */ 415 else if (prot == IPPROTO_IPV6 && 416 saidx->mode != IPSEC_MODE_TRANSPORT) { 417 418 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { 419 IPSEC_ISTAT(sproto, hdrops); 420 error = EINVAL; 421 goto bad; 422 } 423 /* enc0: strip IPv4 header, keep IPv6 header only */ 424 m_striphdr(m, 0, ip->ip_hl << 2); 425 #ifdef notyet 426 /* 427 * Check that the inner source address is the same as 428 * the proxy address, if available. 429 */ 430 if ((saidx->proxy.sa.sa_family == AF_INET6 && 431 !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) && 432 !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src, 433 &saidx->proxy.sin6.sin6_addr)) || 434 (saidx->proxy.sa.sa_family != AF_INET6 && 435 saidx->proxy.sa.sa_family != 0)) { 436 437 DPRINTF(("%s: inner source address %s doesn't " 438 "correspond to expected proxy source %s, " 439 "SA %s/%08lx\n", __func__, 440 ip6_sprintf(ip6buf, &ip6n.ip6_src), 441 ipsec_address(&saidx->proxy), 442 ipsec_address(&saidx->dst), 443 (u_long) ntohl(sav->spi))); 444 445 IPSEC_ISTAT(sproto, pdrops); 446 error = EACCES; 447 goto bad; 448 } 449 #endif /* notyet */ 450 } 451 #endif /* INET6 */ 452 else if (prot != IPPROTO_IPV6 && saidx->mode == IPSEC_MODE_ANY) { 453 /* 454 * When mode is wildcard, inner protocol is IPv6 and 455 * we have no INET6 support - drop this packet a bit later. 456 * In other cases we assume transport mode and outer 457 * header was already stripped in xform_xxx_cb. 458 */ 459 prot = IPPROTO_IPIP; 460 } 461 462 /* 463 * Record what we've done to the packet (under what SA it was 464 * processed). 465 */ 466 if (sproto != IPPROTO_IPCOMP) { 467 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 468 sizeof(struct tdb_ident), M_NOWAIT); 469 if (mtag == NULL) { 470 DPRINTF(("%s: failed to get tag\n", __func__)); 471 IPSEC_ISTAT(sproto, hdrops); 472 error = ENOMEM; 473 goto bad; 474 } 475 476 tdbi = (struct tdb_ident *)(mtag + 1); 477 bcopy(&saidx->dst, &tdbi->dst, saidx->dst.sa.sa_len); 478 tdbi->proto = sproto; 479 tdbi->spi = sav->spi; 480 /* Cache those two for enc(4) in xform_ipip. */ 481 tdbi->alg_auth = sav->alg_auth; 482 tdbi->alg_enc = sav->alg_enc; 483 484 m_tag_prepend(m, mtag); 485 } 486 487 key_sa_recordxfer(sav, m); /* record data transfer */ 488 489 /* 490 * In transport mode requeue decrypted mbuf back to IPv4 protocol 491 * handler. This is necessary to correctly expose rcvif. 492 */ 493 if (saidx->mode == IPSEC_MODE_TRANSPORT) 494 prot = IPPROTO_IPIP; 495 /* 496 * Re-dispatch via software interrupt. 497 */ 498 switch (prot) { 499 case IPPROTO_IPIP: 500 isr_prot = NETISR_IP; 501 af = AF_INET; 502 break; 503 #ifdef INET6 504 case IPPROTO_IPV6: 505 isr_prot = NETISR_IPV6; 506 af = AF_INET6; 507 break; 508 #endif 509 default: 510 DPRINTF(("%s: cannot handle inner ip proto %d\n", 511 __func__, prot)); 512 IPSEC_ISTAT(sproto, nopf); 513 error = EPFNOSUPPORT; 514 goto bad; 515 } 516 517 IPSEC_INIT_CTX(&ctx, &m, sav, af, IPSEC_ENC_AFTER); 518 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) 519 goto bad; 520 error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m); 521 if (error) { 522 IPSEC_ISTAT(sproto, qfull); 523 DPRINTF(("%s: queue full; proto %u packet dropped\n", 524 __func__, sproto)); 525 return error; 526 } 527 return 0; 528 bad: 529 m_freem(m); 530 return error; 531 } 532 533 void 534 ipsec4_common_ctlinput(int cmd, struct sockaddr *sa, void *v, int proto) 535 { 536 /* XXX nothing just yet */ 537 } 538 #endif /* INET */ 539 540 #ifdef INET6 541 /* IPv6 AH wrapper. */ 542 int 543 ipsec6_common_input(struct mbuf **mp, int *offp, int proto) 544 { 545 int l = 0; 546 int protoff; 547 struct ip6_ext ip6e; 548 549 if (*offp < sizeof(struct ip6_hdr)) { 550 DPRINTF(("%s: bad offset %u\n", __func__, *offp)); 551 return IPPROTO_DONE; 552 } else if (*offp == sizeof(struct ip6_hdr)) { 553 protoff = offsetof(struct ip6_hdr, ip6_nxt); 554 } else { 555 /* Chase down the header chain... */ 556 protoff = sizeof(struct ip6_hdr); 557 558 do { 559 protoff += l; 560 m_copydata(*mp, protoff, sizeof(ip6e), 561 (caddr_t) &ip6e); 562 563 if (ip6e.ip6e_nxt == IPPROTO_AH) 564 l = (ip6e.ip6e_len + 2) << 2; 565 else 566 l = (ip6e.ip6e_len + 1) << 3; 567 IPSEC_ASSERT(l > 0, ("l went zero or negative")); 568 } while (protoff + l < *offp); 569 570 /* Malformed packet check */ 571 if (protoff + l != *offp) { 572 DPRINTF(("%s: bad packet header chain, protoff %u, " 573 "l %u, off %u\n", __func__, protoff, l, *offp)); 574 IPSEC_ISTAT(proto, hdrops); 575 m_freem(*mp); 576 *mp = NULL; 577 return IPPROTO_DONE; 578 } 579 protoff += offsetof(struct ip6_ext, ip6e_nxt); 580 } 581 (void) ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto); 582 return IPPROTO_DONE; 583 } 584 585 /* 586 * IPsec input callback, called by the transform callback. Takes care of 587 * filtering and other sanity checks on the processed packet. 588 */ 589 int 590 ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, 591 int protoff) 592 { 593 char buf[INET6_ADDRSTRLEN]; 594 struct ipsec_ctx_data ctx; 595 int prot, af, sproto; 596 struct ip6_hdr *ip6; 597 struct m_tag *mtag; 598 struct tdb_ident *tdbi; 599 struct secasindex *saidx; 600 int nxt, isr_prot; 601 u_int8_t nxt8; 602 int error, nest; 603 #ifdef notyet 604 char ip6buf[INET6_ADDRSTRLEN]; 605 #endif 606 607 IPSEC_ASSERT(m != NULL, ("null mbuf")); 608 IPSEC_ASSERT(sav != NULL, ("null SA")); 609 IPSEC_ASSERT(sav->sah != NULL, ("null SAH")); 610 saidx = &sav->sah->saidx; 611 af = saidx->dst.sa.sa_family; 612 IPSEC_ASSERT(af == AF_INET6, ("unexpected af %u", af)); 613 sproto = saidx->proto; 614 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 615 sproto == IPPROTO_IPCOMP, 616 ("unexpected security protocol %u", sproto)); 617 618 /* Sanity check */ 619 if (m == NULL) { 620 DPRINTF(("%s: null mbuf", __func__)); 621 IPSEC_ISTAT(sproto, badkcr); 622 error = EINVAL; 623 goto bad; 624 } 625 626 /* Fix IPv6 header */ 627 if (m->m_len < sizeof(struct ip6_hdr) && 628 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 629 630 DPRINTF(("%s: processing failed for SA %s/%08lx\n", 631 __func__, ipsec_address(&sav->sah->saidx.dst, buf, 632 sizeof(buf)), (u_long) ntohl(sav->spi))); 633 634 IPSEC_ISTAT(sproto, hdrops); 635 error = EACCES; 636 goto bad; 637 } 638 639 ip6 = mtod(m, struct ip6_hdr *); 640 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr)); 641 642 IPSEC_INIT_CTX(&ctx, &m, sav, af, IPSEC_ENC_BEFORE); 643 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) 644 goto bad; 645 /* Save protocol */ 646 m_copydata(m, protoff, 1, &nxt8); 647 prot = nxt8; 648 649 /* IPv6-in-IP encapsulation */ 650 if (prot == IPPROTO_IPV6 && 651 saidx->mode != IPSEC_MODE_TRANSPORT) { 652 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { 653 IPSEC_ISTAT(sproto, hdrops); 654 error = EINVAL; 655 goto bad; 656 } 657 /* ip6n will now contain the inner IPv6 header. */ 658 m_striphdr(m, 0, skip); 659 skip = 0; 660 #ifdef notyet 661 /* 662 * Check that the inner source address is the same as 663 * the proxy address, if available. 664 */ 665 if ((saidx->proxy.sa.sa_family == AF_INET6 && 666 !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) && 667 !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src, 668 &saidx->proxy.sin6.sin6_addr)) || 669 (saidx->proxy.sa.sa_family != AF_INET6 && 670 saidx->proxy.sa.sa_family != 0)) { 671 672 DPRINTF(("%s: inner source address %s doesn't " 673 "correspond to expected proxy source %s, " 674 "SA %s/%08lx\n", __func__, 675 ip6_sprintf(ip6buf, &ip6n.ip6_src), 676 ipsec_address(&saidx->proxy), 677 ipsec_address(&saidx->dst), 678 (u_long) ntohl(sav->spi))); 679 680 IPSEC_ISTAT(sproto, pdrops); 681 error = EACCES; 682 goto bad; 683 } 684 #endif /* notyet */ 685 } 686 #ifdef INET 687 /* IP-in-IP encapsulation */ 688 else if (prot == IPPROTO_IPIP && 689 saidx->mode != IPSEC_MODE_TRANSPORT) { 690 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { 691 IPSEC_ISTAT(sproto, hdrops); 692 error = EINVAL; 693 goto bad; 694 } 695 /* ipn will now contain the inner IPv4 header */ 696 m_striphdr(m, 0, skip); 697 skip = 0; 698 #ifdef notyet 699 /* 700 * Check that the inner source address is the same as 701 * the proxy address, if available. 702 */ 703 if ((saidx->proxy.sa.sa_family == AF_INET && 704 saidx->proxy.sin.sin_addr.s_addr != INADDR_ANY && 705 ipn.ip_src.s_addr != saidx->proxy.sin.sin_addr.s_addr) || 706 (saidx->proxy.sa.sa_family != AF_INET && 707 saidx->proxy.sa.sa_family != 0)) { 708 709 DPRINTF(("%s: inner source address %s doesn't " 710 "correspond to expected proxy source %s, " 711 "SA %s/%08lx\n", __func__, 712 inet_ntoa4(ipn.ip_src), 713 ipsec_address(&saidx->proxy), 714 ipsec_address(&saidx->dst), 715 (u_long) ntohl(sav->spi))); 716 717 IPSEC_ISTAT(sproto, pdrops); 718 error = EACCES; 719 goto bad; 720 } 721 #endif /* notyet */ 722 } 723 #endif /* INET */ 724 else { 725 prot = IPPROTO_IPV6; /* for correct BPF processing */ 726 } 727 728 /* 729 * Record what we've done to the packet (under what SA it was 730 * processed). 731 */ 732 if (sproto != IPPROTO_IPCOMP) { 733 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 734 sizeof(struct tdb_ident), M_NOWAIT); 735 if (mtag == NULL) { 736 DPRINTF(("%s: failed to get tag\n", __func__)); 737 IPSEC_ISTAT(sproto, hdrops); 738 error = ENOMEM; 739 goto bad; 740 } 741 742 tdbi = (struct tdb_ident *)(mtag + 1); 743 bcopy(&saidx->dst, &tdbi->dst, sizeof(union sockaddr_union)); 744 tdbi->proto = sproto; 745 tdbi->spi = sav->spi; 746 /* Cache those two for enc(4) in xform_ipip. */ 747 tdbi->alg_auth = sav->alg_auth; 748 tdbi->alg_enc = sav->alg_enc; 749 750 m_tag_prepend(m, mtag); 751 } 752 753 key_sa_recordxfer(sav, m); 754 755 756 #ifdef INET 757 if (prot == IPPROTO_IPIP) 758 af = AF_INET; 759 else 760 #endif 761 af = AF_INET6; 762 IPSEC_INIT_CTX(&ctx, &m, sav, af, IPSEC_ENC_AFTER); 763 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) 764 goto bad; 765 if (skip == 0) { 766 /* 767 * We stripped outer IPv6 header. 768 * Now we should requeue decrypted packet via netisr. 769 */ 770 switch (prot) { 771 #ifdef INET 772 case IPPROTO_IPIP: 773 isr_prot = NETISR_IP; 774 break; 775 #endif 776 case IPPROTO_IPV6: 777 isr_prot = NETISR_IPV6; 778 break; 779 default: 780 DPRINTF(("%s: cannot handle inner ip proto %d\n", 781 __func__, prot)); 782 IPSEC_ISTAT(sproto, nopf); 783 error = EPFNOSUPPORT; 784 goto bad; 785 } 786 error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m); 787 if (error) { 788 IPSEC_ISTAT(sproto, qfull); 789 DPRINTF(("%s: queue full; proto %u packet dropped\n", 790 __func__, sproto)); 791 } 792 return (error); 793 } 794 /* 795 * See the end of ip6_input for this logic. 796 * IPPROTO_IPV[46] case will be processed just like other ones 797 */ 798 nest = 0; 799 nxt = nxt8; 800 while (nxt != IPPROTO_DONE) { 801 if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) { 802 IP6STAT_INC(ip6s_toomanyhdr); 803 error = EINVAL; 804 goto bad; 805 } 806 807 /* 808 * Protection against faulty packet - there should be 809 * more sanity checks in header chain processing. 810 */ 811 if (m->m_pkthdr.len < skip) { 812 IP6STAT_INC(ip6s_tooshort); 813 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 814 error = EINVAL; 815 goto bad; 816 } 817 /* 818 * Enforce IPsec policy checking if we are seeing last header. 819 * note that we do not visit this with protocols with pcb layer 820 * code - like udp/tcp/raw ip. 821 */ 822 if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && 823 ipsec6_in_reject(m, NULL)) { 824 error = EINVAL; 825 goto bad; 826 } 827 nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &skip, nxt); 828 } 829 return 0; 830 bad: 831 if (m) 832 m_freem(m); 833 return error; 834 } 835 836 void 837 esp6_ctlinput(int cmd, struct sockaddr *sa, void *d) 838 { 839 struct ip6ctlparam *ip6cp = NULL; 840 struct mbuf *m = NULL; 841 struct ip6_hdr *ip6; 842 int off; 843 844 if (sa->sa_family != AF_INET6 || 845 sa->sa_len != sizeof(struct sockaddr_in6)) 846 return; 847 if ((unsigned)cmd >= PRC_NCMDS) 848 return; 849 850 /* if the parameter is from icmp6, decode it. */ 851 if (d != NULL) { 852 ip6cp = (struct ip6ctlparam *)d; 853 m = ip6cp->ip6c_m; 854 ip6 = ip6cp->ip6c_ip6; 855 off = ip6cp->ip6c_off; 856 } else { 857 m = NULL; 858 ip6 = NULL; 859 off = 0; /* calm gcc */ 860 } 861 862 if (ip6 != NULL) { 863 864 struct ip6ctlparam ip6cp1; 865 866 /* 867 * Notify the error to all possible sockets via pfctlinput2. 868 * Since the upper layer information (such as protocol type, 869 * source and destination ports) is embedded in the encrypted 870 * data and might have been cut, we can't directly call 871 * an upper layer ctlinput function. However, the pcbnotify 872 * function will consider source and destination addresses 873 * as well as the flow info value, and may be able to find 874 * some PCB that should be notified. 875 * Although pfctlinput2 will call esp6_ctlinput(), there is 876 * no possibility of an infinite loop of function calls, 877 * because we don't pass the inner IPv6 header. 878 */ 879 bzero(&ip6cp1, sizeof(ip6cp1)); 880 ip6cp1.ip6c_src = ip6cp->ip6c_src; 881 pfctlinput2(cmd, sa, (void *)&ip6cp1); 882 883 /* 884 * Then go to special cases that need ESP header information. 885 * XXX: We assume that when ip6 is non NULL, 886 * M and OFF are valid. 887 */ 888 889 if (cmd == PRC_MSGSIZE) { 890 struct secasvar *sav; 891 u_int32_t spi; 892 int valid; 893 894 /* check header length before using m_copydata */ 895 if (m->m_pkthdr.len < off + sizeof (struct esp)) 896 return; 897 m_copydata(m, off + offsetof(struct esp, esp_spi), 898 sizeof(u_int32_t), (caddr_t) &spi); 899 /* 900 * Check to see if we have a valid SA corresponding to 901 * the address in the ICMP message payload. 902 */ 903 sav = KEY_ALLOCSA((union sockaddr_union *)sa, 904 IPPROTO_ESP, spi); 905 valid = (sav != NULL); 906 if (sav) 907 KEY_FREESAV(&sav); 908 909 /* XXX Further validation? */ 910 911 /* 912 * Depending on whether the SA is "valid" and 913 * routing table size (mtudisc_{hi,lo}wat), we will: 914 * - recalcurate the new MTU and create the 915 * corresponding routing entry, or 916 * - ignore the MTU change notification. 917 */ 918 icmp6_mtudisc_update(ip6cp, valid); 919 } 920 } else { 921 /* we normally notify any pcb here */ 922 } 923 } 924 #endif /* INET6 */ 925