1 /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ 2 /*- 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 8 * in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001, Angelos D. Keromytis. 21 * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org> 22 * 23 * Permission to use, copy, and modify this software with or without fee 24 * is hereby granted, provided that this entire notice is included in 25 * all copies of any software which is or includes a copy or 26 * modification of this software. 27 * You may use this code under the GNU public license if you so wish. Please 28 * contribute changes back to the authors under this freer than GPL license 29 * so that we may further the use of strong encryption without limitations to 30 * all. 31 * 32 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 33 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 34 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 35 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 36 * PURPOSE. 37 */ 38 39 /* 40 * IPsec input processing. 41 */ 42 43 #include <sys/cdefs.h> 44 #include "opt_inet.h" 45 #include "opt_inet6.h" 46 #include "opt_ipsec.h" 47 48 #include <sys/param.h> 49 #include <sys/systm.h> 50 #include <sys/malloc.h> 51 #include <sys/mbuf.h> 52 #include <sys/domain.h> 53 #include <sys/protosw.h> 54 #include <sys/socket.h> 55 #include <sys/errno.h> 56 #include <sys/hhook.h> 57 #include <sys/stdarg.h> 58 #include <sys/syslog.h> 59 60 #include <net/if.h> 61 #include <net/if_var.h> 62 #include <net/if_enc.h> 63 #include <net/if_private.h> 64 #include <net/netisr.h> 65 #include <net/vnet.h> 66 67 #include <netinet/in.h> 68 #include <netinet/in_pcb.h> 69 #include <netinet/in_systm.h> 70 #include <netinet/ip.h> 71 #include <netinet/ip_var.h> 72 #include <netinet/ip_icmp.h> 73 #include <netinet/in_var.h> 74 #include <netinet/tcp_var.h> 75 76 #include <netinet/ip6.h> 77 #ifdef INET6 78 #include <netinet6/ip6_var.h> 79 #endif 80 #include <netinet/in_pcb.h> 81 #ifdef INET6 82 #include <netinet/icmp6.h> 83 #endif 84 85 #include <netipsec/ipsec.h> 86 #ifdef INET6 87 #include <netipsec/ipsec6.h> 88 #endif 89 #include <netipsec/ipsec_support.h> 90 #include <netipsec/ah_var.h> 91 #include <netipsec/esp.h> 92 #include <netipsec/esp_var.h> 93 #include <netipsec/ipcomp_var.h> 94 #include <netipsec/ipsec_offload.h> 95 96 #include <netipsec/key.h> 97 #include <netipsec/keydb.h> 98 #include <netipsec/key_debug.h> 99 100 #include <netipsec/xform.h> 101 102 #include <machine/in_cksum.h> 103 104 #define IPSEC_ISTAT(proto, name) do { \ 105 if ((proto) == IPPROTO_ESP) \ 106 ESPSTAT_INC(esps_##name); \ 107 else if ((proto) == IPPROTO_AH) \ 108 AHSTAT_INC(ahs_##name); \ 109 else \ 110 IPCOMPSTAT_INC(ipcomps_##name); \ 111 } while (0) 112 113 /* 114 * ipsec_common_input gets called when an IPsec-protected packet 115 * is received by IPv4 or IPv6. Its job is to find the right SA 116 * and call the appropriate transform. The transform callback 117 * takes care of further processing (like ingress filtering). 118 */ 119 static int 120 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) 121 { 122 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]); 123 union sockaddr_union dst_address; 124 struct secasvar *sav; 125 uint32_t spi; 126 int error; 127 128 IPSEC_ISTAT(sproto, input); 129 130 IPSEC_ASSERT(m != NULL, ("null packet")); 131 132 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 133 sproto == IPPROTO_IPCOMP, 134 ("unexpected security protocol %u", sproto)); 135 136 if ((sproto == IPPROTO_ESP && !V_esp_enable) || 137 (sproto == IPPROTO_AH && !V_ah_enable) || 138 (sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) { 139 m_freem(m); 140 IPSEC_ISTAT(sproto, pdrops); 141 return EOPNOTSUPP; 142 } 143 144 if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) { 145 m_freem(m); 146 IPSEC_ISTAT(sproto, hdrops); 147 DPRINTF(("%s: packet too small\n", __func__)); 148 return EINVAL; 149 } 150 151 /* Retrieve the SPI from the relevant IPsec header */ 152 if (sproto == IPPROTO_ESP) 153 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi); 154 else if (sproto == IPPROTO_AH) 155 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 156 (caddr_t) &spi); 157 else if (sproto == IPPROTO_IPCOMP) { 158 u_int16_t cpi; 159 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t), 160 (caddr_t) &cpi); 161 spi = ntohl(htons(cpi)); 162 } 163 164 /* 165 * Find the SA and (indirectly) call the appropriate 166 * kernel crypto routine. The resulting mbuf chain is a valid 167 * IP packet ready to go through input processing. 168 */ 169 bzero(&dst_address, sizeof (dst_address)); 170 dst_address.sa.sa_family = af; 171 switch (af) { 172 #ifdef INET 173 case AF_INET: 174 dst_address.sin.sin_len = sizeof(struct sockaddr_in); 175 m_copydata(m, offsetof(struct ip, ip_dst), 176 sizeof(struct in_addr), 177 (caddr_t) &dst_address.sin.sin_addr); 178 break; 179 #endif /* INET */ 180 #ifdef INET6 181 case AF_INET6: 182 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6); 183 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 184 sizeof(struct in6_addr), 185 (caddr_t) &dst_address.sin6.sin6_addr); 186 /* We keep addresses in SADB without embedded scope id */ 187 if (IN6_IS_SCOPE_LINKLOCAL(&dst_address.sin6.sin6_addr)) { 188 /* XXX: sa6_recoverscope() */ 189 dst_address.sin6.sin6_scope_id = 190 ntohs(dst_address.sin6.sin6_addr.s6_addr16[1]); 191 dst_address.sin6.sin6_addr.s6_addr16[1] = 0; 192 } 193 break; 194 #endif /* INET6 */ 195 default: 196 DPRINTF(("%s: unsupported protocol family %u\n", __func__, af)); 197 m_freem(m); 198 IPSEC_ISTAT(sproto, nopf); 199 return EPFNOSUPPORT; 200 } 201 202 /* NB: only pass dst since key_allocsa follows RFC2401 */ 203 sav = key_allocsa(&dst_address, sproto, spi); 204 if (sav == NULL) { 205 DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n", 206 __func__, ipsec_address(&dst_address, buf, sizeof(buf)), 207 (u_long) ntohl(spi), sproto)); 208 IPSEC_ISTAT(sproto, notdb); 209 m_freem(m); 210 return ENOENT; 211 } 212 213 if (sav->tdb_xform == NULL) { 214 DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n", 215 __func__, ipsec_address(&dst_address, buf, sizeof(buf)), 216 (u_long) ntohl(spi), sproto)); 217 IPSEC_ISTAT(sproto, noxform); 218 key_freesav(&sav); 219 m_freem(m); 220 return ENXIO; 221 } 222 223 /* 224 * Call appropriate transform and return -- callback takes care of 225 * everything else. 226 */ 227 error = (*sav->tdb_xform->xf_input)(m, sav, skip, protoff); 228 return (error); 229 } 230 231 #ifdef INET 232 /* 233 * IPSEC_INPUT() method implementation for IPv4. 234 * 0 - Permitted by inbound security policy for further processing. 235 * EACCES - Forbidden by inbound security policy. 236 * EINPROGRESS - consumed by IPsec. 237 */ 238 int 239 ipsec4_input(struct mbuf *m, int offset, int proto) 240 { 241 int error; 242 243 error = ipsec_accel_input(m, offset, proto); 244 if (error != ENXIO) 245 return (error); 246 247 switch (proto) { 248 case IPPROTO_AH: 249 case IPPROTO_ESP: 250 case IPPROTO_IPCOMP: 251 /* Do inbound IPsec processing for AH/ESP/IPCOMP */ 252 ipsec_common_input(m, offset, 253 offsetof(struct ip, ip_p), AF_INET, proto); 254 return (EINPROGRESS); /* mbuf consumed by IPsec */ 255 default: 256 /* 257 * Protocols with further headers get their IPsec treatment 258 * within the protocol specific processing. 259 */ 260 switch (proto) { 261 case IPPROTO_ICMP: 262 case IPPROTO_IGMP: 263 case IPPROTO_IPV4: 264 case IPPROTO_IPV6: 265 case IPPROTO_RSVP: 266 case IPPROTO_GRE: 267 case IPPROTO_MOBILE: 268 case IPPROTO_ETHERIP: 269 case IPPROTO_PIM: 270 case IPPROTO_SCTP: 271 break; 272 default: 273 return (0); 274 } 275 }; 276 /* 277 * Enforce IPsec policy checking if we are seeing last header. 278 */ 279 if (ipsec4_in_reject(m, NULL) != 0) { 280 /* Forbidden by inbound security policy */ 281 m_freem(m); 282 return (EACCES); 283 } 284 return (0); 285 } 286 287 int 288 ipsec4_ctlinput(ipsec_ctlinput_param_t param) 289 { 290 struct icmp *icp = param.icmp; 291 struct ip *ip = &icp->icmp_ip; 292 struct sockaddr_in icmpsrc = { 293 .sin_len = sizeof(struct sockaddr_in), 294 .sin_family = AF_INET, 295 .sin_addr = ip->ip_dst, 296 }; 297 struct in_conninfo inc; 298 struct secasvar *sav; 299 uint32_t pmtu, spi; 300 uint32_t max_pmtu; 301 uint8_t proto; 302 303 pmtu = ntohs(icp->icmp_nextmtu); 304 305 if (pmtu < V_ip4_ipsec_min_pmtu) 306 return (EINVAL); 307 308 proto = ip->ip_p; 309 if (proto != IPPROTO_ESP && proto != IPPROTO_AH && 310 proto != IPPROTO_IPCOMP) 311 return (EINVAL); 312 313 memcpy(&spi, (caddr_t)ip + (ip->ip_hl << 2), sizeof(spi)); 314 sav = key_allocsa((union sockaddr_union *)&icmpsrc, proto, spi); 315 if (sav == NULL) 316 return (ENOENT); 317 318 key_freesav(&sav); 319 320 memset(&inc, 0, sizeof(inc)); 321 inc.inc_faddr = ip->ip_dst; 322 323 /* Update pmtu only if its smaller than the current one. */ 324 max_pmtu = tcp_hc_getmtu(&inc); 325 if (max_pmtu == 0) 326 max_pmtu = tcp_maxmtu(&inc, NULL); 327 328 if (pmtu < max_pmtu) 329 tcp_hc_updatemtu(&inc, pmtu); 330 331 return (0); 332 } 333 334 /* 335 * IPsec input callback for INET protocols. 336 * This routine is called as the transform callback. 337 * Takes care of filtering and other sanity checks on 338 * the processed packet. 339 */ 340 int 341 ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, 342 int protoff, struct rm_priotracker *sahtree_tracker) 343 { 344 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]); 345 struct epoch_tracker et; 346 struct ipsec_ctx_data ctx; 347 struct xform_history *xh; 348 struct secasindex *saidx; 349 struct m_tag *mtag; 350 struct ip *ip; 351 int error, prot, af, sproto, isr_prot; 352 353 IPSEC_ASSERT(sav != NULL, ("null SA")); 354 IPSEC_ASSERT(sav->sah != NULL, ("null SAH")); 355 saidx = &sav->sah->saidx; 356 af = saidx->dst.sa.sa_family; 357 IPSEC_ASSERT(af == AF_INET, ("unexpected af %u", af)); 358 sproto = saidx->proto; 359 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 360 sproto == IPPROTO_IPCOMP, 361 ("unexpected security protocol %u", sproto)); 362 363 if (skip != 0) { 364 /* 365 * Fix IPv4 header 366 */ 367 if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) { 368 DPRINTF(("%s: processing failed for SA %s/%08lx\n", 369 __func__, ipsec_address(&sav->sah->saidx.dst, 370 buf, sizeof(buf)), (u_long) ntohl(sav->spi))); 371 IPSEC_ISTAT(sproto, hdrops); 372 error = ENOBUFS; 373 goto bad_noepoch; 374 } 375 376 ip = mtod(m, struct ip *); 377 ip->ip_len = htons(m->m_pkthdr.len); 378 ip->ip_sum = 0; 379 ip->ip_sum = in_cksum(m, ip->ip_hl << 2); 380 } else { 381 ip = mtod(m, struct ip *); 382 } 383 prot = ip->ip_p; 384 /* 385 * Check that we have NAT-T enabled and apply transport mode 386 * decapsulation NAT procedure (RFC3948). 387 * Do this before invoking into the PFIL. 388 */ 389 if (sav->natt != NULL && 390 (prot == IPPROTO_UDP || prot == IPPROTO_TCP)) 391 udp_ipsec_adjust_cksum(m, sav, prot, skip); 392 393 /* 394 * Needed for ipsec_run_hooks and netisr_queue_src 395 */ 396 NET_EPOCH_ENTER(et); 397 398 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, AF_INET, IPSEC_ENC_BEFORE); 399 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) 400 goto bad; 401 ip = mtod(m, struct ip *); /* update pointer */ 402 403 /* IP-in-IP encapsulation */ 404 if (prot == IPPROTO_IPIP && 405 saidx->mode != IPSEC_MODE_TRANSPORT) { 406 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { 407 IPSEC_ISTAT(sproto, hdrops); 408 error = EINVAL; 409 goto bad; 410 } 411 /* enc0: strip outer IPv4 header */ 412 m_striphdr(m, 0, ip->ip_hl << 2); 413 } 414 #ifdef INET6 415 /* IPv6-in-IP encapsulation. */ 416 else if (prot == IPPROTO_IPV6 && 417 saidx->mode != IPSEC_MODE_TRANSPORT) { 418 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { 419 IPSEC_ISTAT(sproto, hdrops); 420 error = EINVAL; 421 goto bad; 422 } 423 /* enc0: strip IPv4 header, keep IPv6 header only */ 424 m_striphdr(m, 0, ip->ip_hl << 2); 425 } 426 #endif /* INET6 */ 427 else if (prot != IPPROTO_IPV6 && saidx->mode == IPSEC_MODE_ANY) { 428 /* 429 * When mode is wildcard, inner protocol is IPv6 and 430 * we have no INET6 support - drop this packet a bit later. 431 * In other cases we assume transport mode. Set prot to 432 * correctly choose netisr. 433 */ 434 prot = IPPROTO_IPIP; 435 } 436 437 /* 438 * Record what we've done to the packet (under what SA it was 439 * processed). 440 */ 441 if (sproto != IPPROTO_IPCOMP) { 442 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 443 sizeof(struct xform_history), M_NOWAIT); 444 if (mtag == NULL) { 445 DPRINTF(("%s: failed to get tag\n", __func__)); 446 IPSEC_ISTAT(sproto, hdrops); 447 error = ENOMEM; 448 goto bad; 449 } 450 451 xh = (struct xform_history *)(mtag + 1); 452 bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len); 453 xh->spi = sav->spi; 454 xh->proto = sproto; 455 xh->mode = saidx->mode; 456 m_tag_prepend(m, mtag); 457 } 458 459 key_sa_recordxfer(sav, m); /* record data transfer */ 460 461 /* 462 * In transport mode requeue decrypted mbuf back to IPv4 protocol 463 * handler. This is necessary to correctly expose rcvif. 464 */ 465 if (saidx->mode == IPSEC_MODE_TRANSPORT) 466 prot = IPPROTO_IPIP; 467 /* 468 * Re-dispatch via software interrupt. 469 */ 470 switch (prot) { 471 case IPPROTO_IPIP: 472 isr_prot = NETISR_IP; 473 af = AF_INET; 474 break; 475 #ifdef INET6 476 case IPPROTO_IPV6: 477 isr_prot = NETISR_IPV6; 478 af = AF_INET6; 479 break; 480 #endif 481 default: 482 DPRINTF(("%s: cannot handle inner ip proto %d\n", 483 __func__, prot)); 484 IPSEC_ISTAT(sproto, nopf); 485 error = EPFNOSUPPORT; 486 goto bad; 487 } 488 489 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER); 490 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) 491 goto bad; 492 493 /* Handle virtual tunneling interfaces */ 494 if (saidx->mode == IPSEC_MODE_TUNNEL) 495 error = ipsec_if_input(m, sav, af, sahtree_tracker); 496 else 497 ipsec_sahtree_runlock(sahtree_tracker); 498 if (error == 0) { 499 error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m); 500 if (error) { 501 IPSEC_ISTAT(sproto, qfull); 502 DPRINTF(("%s: queue full; proto %u packet dropped\n", 503 __func__, sproto)); 504 } 505 } 506 NET_EPOCH_EXIT(et); 507 key_freesav(&sav); 508 return (error); 509 bad: 510 NET_EPOCH_EXIT(et); 511 bad_noepoch: 512 ipsec_sahtree_runlock(sahtree_tracker); 513 key_freesav(&sav); 514 if (m != NULL) 515 m_freem(m); 516 return (error); 517 } 518 #endif /* INET */ 519 520 #ifdef INET6 521 static bool 522 ipsec6_lasthdr(int proto) 523 { 524 525 switch (proto) { 526 case IPPROTO_IPV4: 527 case IPPROTO_IPV6: 528 case IPPROTO_GRE: 529 case IPPROTO_ICMPV6: 530 case IPPROTO_ETHERIP: 531 case IPPROTO_PIM: 532 case IPPROTO_SCTP: 533 return (true); 534 default: 535 return (false); 536 }; 537 } 538 539 /* 540 * IPSEC_INPUT() method implementation for IPv6. 541 * 0 - Permitted by inbound security policy for further processing. 542 * EACCES - Forbidden by inbound security policy. 543 * EINPROGRESS - consumed by IPsec. 544 */ 545 int 546 ipsec6_input(struct mbuf *m, int offset, int proto) 547 { 548 int error; 549 550 error = ipsec_accel_input(m, offset, proto); 551 if (error != ENXIO) 552 return (error); 553 554 switch (proto) { 555 case IPPROTO_AH: 556 case IPPROTO_ESP: 557 case IPPROTO_IPCOMP: 558 /* Do inbound IPsec processing for AH/ESP/IPCOMP */ 559 ipsec_common_input(m, offset, 560 offsetof(struct ip6_hdr, ip6_nxt), AF_INET6, proto); 561 return (EINPROGRESS); /* mbuf consumed by IPsec */ 562 default: 563 /* 564 * Protocols with further headers get their IPsec treatment 565 * within the protocol specific processing. 566 */ 567 if (!ipsec6_lasthdr(proto)) 568 return (0); 569 /* FALLTHROUGH */ 570 }; 571 /* 572 * Enforce IPsec policy checking if we are seeing last header. 573 */ 574 if (ipsec6_in_reject(m, NULL) != 0) { 575 /* Forbidden by inbound security policy */ 576 m_freem(m); 577 return (EACCES); 578 } 579 return (0); 580 } 581 582 int 583 ipsec6_ctlinput(ipsec_ctlinput_param_t param) 584 { 585 return (0); 586 } 587 588 extern ipproto_input_t *ip6_protox[]; 589 590 /* 591 * IPsec input callback, called by the transform callback. Takes care of 592 * filtering and other sanity checks on the processed packet. 593 */ 594 int 595 ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, 596 int protoff, struct rm_priotracker *sahtree_tracker) 597 { 598 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]); 599 struct epoch_tracker et; 600 struct ipsec_ctx_data ctx; 601 struct xform_history *xh; 602 struct secasindex *saidx; 603 struct ip6_hdr *ip6; 604 struct m_tag *mtag; 605 int prot, af, sproto; 606 int nxt, isr_prot; 607 int error, nest; 608 uint8_t nxt8; 609 610 IPSEC_ASSERT(sav != NULL, ("null SA")); 611 IPSEC_ASSERT(sav->sah != NULL, ("null SAH")); 612 saidx = &sav->sah->saidx; 613 af = saidx->dst.sa.sa_family; 614 IPSEC_ASSERT(af == AF_INET6, ("unexpected af %u", af)); 615 sproto = saidx->proto; 616 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 617 sproto == IPPROTO_IPCOMP, 618 ("unexpected security protocol %u", sproto)); 619 620 NET_EPOCH_ENTER(et); 621 622 /* Fix IPv6 header */ 623 if (m->m_len < sizeof(struct ip6_hdr) && 624 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 625 DPRINTF(("%s: processing failed for SA %s/%08lx\n", 626 __func__, ipsec_address(&sav->sah->saidx.dst, buf, 627 sizeof(buf)), (u_long) ntohl(sav->spi))); 628 629 IPSEC_ISTAT(sproto, hdrops); 630 error = EACCES; 631 goto bad; 632 } 633 634 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_BEFORE); 635 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) 636 goto bad; 637 638 ip6 = mtod(m, struct ip6_hdr *); 639 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr)); 640 641 /* Save protocol */ 642 m_copydata(m, protoff, 1, &nxt8); 643 prot = nxt8; 644 645 /* 646 * Check that we have NAT-T enabled and apply transport mode 647 * decapsulation NAT procedure (RFC3948). 648 * Do this before invoking into the PFIL. 649 */ 650 if (sav->natt != NULL && 651 (prot == IPPROTO_UDP || prot == IPPROTO_TCP)) 652 udp_ipsec_adjust_cksum(m, sav, prot, skip); 653 654 /* IPv6-in-IP encapsulation */ 655 if (prot == IPPROTO_IPV6 && 656 saidx->mode != IPSEC_MODE_TRANSPORT) { 657 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { 658 IPSEC_ISTAT(sproto, hdrops); 659 error = EINVAL; 660 goto bad; 661 } 662 /* ip6n will now contain the inner IPv6 header. */ 663 m_striphdr(m, 0, skip); 664 skip = 0; 665 } 666 #ifdef INET 667 /* IP-in-IP encapsulation */ 668 else if (prot == IPPROTO_IPIP && 669 saidx->mode != IPSEC_MODE_TRANSPORT) { 670 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { 671 IPSEC_ISTAT(sproto, hdrops); 672 error = EINVAL; 673 goto bad; 674 } 675 /* ipn will now contain the inner IPv4 header */ 676 m_striphdr(m, 0, skip); 677 skip = 0; 678 } 679 #endif /* INET */ 680 else { 681 prot = IPPROTO_IPV6; /* for correct BPF processing */ 682 } 683 684 /* 685 * Record what we've done to the packet (under what SA it was 686 * processed). 687 */ 688 if (sproto != IPPROTO_IPCOMP) { 689 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 690 sizeof(struct xform_history), M_NOWAIT); 691 if (mtag == NULL) { 692 DPRINTF(("%s: failed to get tag\n", __func__)); 693 IPSEC_ISTAT(sproto, hdrops); 694 error = ENOMEM; 695 goto bad; 696 } 697 698 xh = (struct xform_history *)(mtag + 1); 699 bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len); 700 xh->spi = sav->spi; 701 xh->proto = sproto; 702 xh->mode = saidx->mode; 703 m_tag_prepend(m, mtag); 704 } 705 706 key_sa_recordxfer(sav, m); 707 708 #ifdef INET 709 if (prot == IPPROTO_IPIP) 710 af = AF_INET; 711 else 712 #endif 713 af = AF_INET6; 714 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER); 715 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) 716 goto bad; 717 if (skip == 0) { 718 /* 719 * We stripped outer IPv6 header. 720 * Now we should requeue decrypted packet via netisr. 721 */ 722 switch (prot) { 723 #ifdef INET 724 case IPPROTO_IPIP: 725 isr_prot = NETISR_IP; 726 break; 727 #endif 728 case IPPROTO_IPV6: 729 isr_prot = NETISR_IPV6; 730 break; 731 default: 732 DPRINTF(("%s: cannot handle inner ip proto %d\n", 733 __func__, prot)); 734 IPSEC_ISTAT(sproto, nopf); 735 error = EPFNOSUPPORT; 736 goto bad; 737 } 738 /* Handle virtual tunneling interfaces */ 739 if (saidx->mode == IPSEC_MODE_TUNNEL) 740 error = ipsec_if_input(m, sav, af, sahtree_tracker); 741 else 742 ipsec_sahtree_runlock(sahtree_tracker); 743 if (error == 0) { 744 error = netisr_queue_src(isr_prot, 745 (uintptr_t)sav->spi, m); 746 if (error) { 747 IPSEC_ISTAT(sproto, qfull); 748 DPRINTF(("%s: queue full; proto %u packet" 749 " dropped\n", __func__, sproto)); 750 } 751 } 752 NET_EPOCH_EXIT(et); 753 key_freesav(&sav); 754 return (error); 755 } 756 757 ipsec_sahtree_runlock(sahtree_tracker); 758 759 /* 760 * See the end of ip6_input for this logic. 761 * IPPROTO_IPV[46] case will be processed just like other ones 762 */ 763 nest = 0; 764 nxt = nxt8; 765 while (nxt != IPPROTO_DONE) { 766 if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) { 767 IP6STAT_INC(ip6s_toomanyhdr); 768 error = EINVAL; 769 goto bad; 770 } 771 772 /* 773 * Protection against faulty packet - there should be 774 * more sanity checks in header chain processing. 775 */ 776 if (m->m_pkthdr.len < skip) { 777 IP6STAT_INC(ip6s_tooshort); 778 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 779 error = EINVAL; 780 goto bad; 781 } 782 /* 783 * Enforce IPsec policy checking if we are seeing last header. 784 * note that we do not visit this with protocols with pcb layer 785 * code - like udp/tcp/raw ip. 786 */ 787 if (ipsec6_lasthdr(nxt) && ipsec6_in_reject(m, NULL)) { 788 error = EINVAL; 789 goto bad; 790 } 791 nxt = ip6_protox[nxt](&m, &skip, nxt); 792 } 793 NET_EPOCH_EXIT(et); 794 key_freesav(&sav); 795 return (0); 796 bad: 797 NET_EPOCH_EXIT(et); 798 ipsec_sahtree_runlock(sahtree_tracker); 799 key_freesav(&sav); 800 if (m) 801 m_freem(m); 802 return (error); 803 } 804 #endif /* INET6 */ 805