1 /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ 2 /*- 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 8 * in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001, Angelos D. Keromytis. 21 * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org> 22 * 23 * Permission to use, copy, and modify this software with or without fee 24 * is hereby granted, provided that this entire notice is included in 25 * all copies of any software which is or includes a copy or 26 * modification of this software. 27 * You may use this code under the GNU public license if you so wish. Please 28 * contribute changes back to the authors under this freer than GPL license 29 * so that we may further the use of strong encryption without limitations to 30 * all. 31 * 32 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 33 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 34 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 35 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 36 * PURPOSE. 37 */ 38 39 /* 40 * IPsec input processing. 41 */ 42 43 #include <sys/cdefs.h> 44 __FBSDID("$FreeBSD$"); 45 46 #include "opt_inet.h" 47 #include "opt_inet6.h" 48 #include "opt_ipsec.h" 49 50 #include <sys/param.h> 51 #include <sys/systm.h> 52 #include <sys/malloc.h> 53 #include <sys/mbuf.h> 54 #include <sys/domain.h> 55 #include <sys/protosw.h> 56 #include <sys/socket.h> 57 #include <sys/errno.h> 58 #include <sys/hhook.h> 59 #include <sys/syslog.h> 60 61 #include <net/if.h> 62 #include <net/if_var.h> 63 #include <net/if_enc.h> 64 #include <net/if_private.h> 65 #include <net/netisr.h> 66 #include <net/vnet.h> 67 68 #include <netinet/in.h> 69 #include <netinet/in_pcb.h> 70 #include <netinet/in_systm.h> 71 #include <netinet/ip.h> 72 #include <netinet/ip_var.h> 73 #include <netinet/ip_icmp.h> 74 #include <netinet/in_var.h> 75 #include <netinet/tcp_var.h> 76 77 #include <netinet/ip6.h> 78 #ifdef INET6 79 #include <netinet6/ip6_var.h> 80 #endif 81 #include <netinet/in_pcb.h> 82 #ifdef INET6 83 #include <netinet/icmp6.h> 84 #endif 85 86 #include <netipsec/ipsec.h> 87 #ifdef INET6 88 #include <netipsec/ipsec6.h> 89 #endif 90 #include <netipsec/ipsec_support.h> 91 #include <netipsec/ah_var.h> 92 #include <netipsec/esp.h> 93 #include <netipsec/esp_var.h> 94 #include <netipsec/ipcomp_var.h> 95 96 #include <netipsec/key.h> 97 #include <netipsec/keydb.h> 98 #include <netipsec/key_debug.h> 99 100 #include <netipsec/xform.h> 101 102 #include <machine/in_cksum.h> 103 #include <machine/stdarg.h> 104 105 #define IPSEC_ISTAT(proto, name) do { \ 106 if ((proto) == IPPROTO_ESP) \ 107 ESPSTAT_INC(esps_##name); \ 108 else if ((proto) == IPPROTO_AH) \ 109 AHSTAT_INC(ahs_##name); \ 110 else \ 111 IPCOMPSTAT_INC(ipcomps_##name); \ 112 } while (0) 113 114 /* 115 * ipsec_common_input gets called when an IPsec-protected packet 116 * is received by IPv4 or IPv6. Its job is to find the right SA 117 * and call the appropriate transform. The transform callback 118 * takes care of further processing (like ingress filtering). 119 */ 120 static int 121 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) 122 { 123 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]); 124 union sockaddr_union dst_address; 125 struct secasvar *sav; 126 uint32_t spi; 127 int error; 128 129 IPSEC_ISTAT(sproto, input); 130 131 IPSEC_ASSERT(m != NULL, ("null packet")); 132 133 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 134 sproto == IPPROTO_IPCOMP, 135 ("unexpected security protocol %u", sproto)); 136 137 if ((sproto == IPPROTO_ESP && !V_esp_enable) || 138 (sproto == IPPROTO_AH && !V_ah_enable) || 139 (sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) { 140 m_freem(m); 141 IPSEC_ISTAT(sproto, pdrops); 142 return EOPNOTSUPP; 143 } 144 145 if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) { 146 m_freem(m); 147 IPSEC_ISTAT(sproto, hdrops); 148 DPRINTF(("%s: packet too small\n", __func__)); 149 return EINVAL; 150 } 151 152 /* Retrieve the SPI from the relevant IPsec header */ 153 if (sproto == IPPROTO_ESP) 154 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi); 155 else if (sproto == IPPROTO_AH) 156 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 157 (caddr_t) &spi); 158 else if (sproto == IPPROTO_IPCOMP) { 159 u_int16_t cpi; 160 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t), 161 (caddr_t) &cpi); 162 spi = ntohl(htons(cpi)); 163 } 164 165 /* 166 * Find the SA and (indirectly) call the appropriate 167 * kernel crypto routine. The resulting mbuf chain is a valid 168 * IP packet ready to go through input processing. 169 */ 170 bzero(&dst_address, sizeof (dst_address)); 171 dst_address.sa.sa_family = af; 172 switch (af) { 173 #ifdef INET 174 case AF_INET: 175 dst_address.sin.sin_len = sizeof(struct sockaddr_in); 176 m_copydata(m, offsetof(struct ip, ip_dst), 177 sizeof(struct in_addr), 178 (caddr_t) &dst_address.sin.sin_addr); 179 break; 180 #endif /* INET */ 181 #ifdef INET6 182 case AF_INET6: 183 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6); 184 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 185 sizeof(struct in6_addr), 186 (caddr_t) &dst_address.sin6.sin6_addr); 187 /* We keep addresses in SADB without embedded scope id */ 188 if (IN6_IS_SCOPE_LINKLOCAL(&dst_address.sin6.sin6_addr)) { 189 /* XXX: sa6_recoverscope() */ 190 dst_address.sin6.sin6_scope_id = 191 ntohs(dst_address.sin6.sin6_addr.s6_addr16[1]); 192 dst_address.sin6.sin6_addr.s6_addr16[1] = 0; 193 } 194 break; 195 #endif /* INET6 */ 196 default: 197 DPRINTF(("%s: unsupported protocol family %u\n", __func__, af)); 198 m_freem(m); 199 IPSEC_ISTAT(sproto, nopf); 200 return EPFNOSUPPORT; 201 } 202 203 /* NB: only pass dst since key_allocsa follows RFC2401 */ 204 sav = key_allocsa(&dst_address, sproto, spi); 205 if (sav == NULL) { 206 DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n", 207 __func__, ipsec_address(&dst_address, buf, sizeof(buf)), 208 (u_long) ntohl(spi), sproto)); 209 IPSEC_ISTAT(sproto, notdb); 210 m_freem(m); 211 return ENOENT; 212 } 213 214 if (sav->tdb_xform == NULL) { 215 DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n", 216 __func__, ipsec_address(&dst_address, buf, sizeof(buf)), 217 (u_long) ntohl(spi), sproto)); 218 IPSEC_ISTAT(sproto, noxform); 219 key_freesav(&sav); 220 m_freem(m); 221 return ENXIO; 222 } 223 224 /* 225 * Call appropriate transform and return -- callback takes care of 226 * everything else. 227 */ 228 error = (*sav->tdb_xform->xf_input)(m, sav, skip, protoff); 229 return (error); 230 } 231 232 #ifdef INET 233 /* 234 * IPSEC_INPUT() method implementation for IPv4. 235 * 0 - Permitted by inbound security policy for further processing. 236 * EACCES - Forbidden by inbound security policy. 237 * EINPROGRESS - consumed by IPsec. 238 */ 239 int 240 ipsec4_input(struct mbuf *m, int offset, int proto) 241 { 242 243 switch (proto) { 244 case IPPROTO_AH: 245 case IPPROTO_ESP: 246 case IPPROTO_IPCOMP: 247 /* Do inbound IPsec processing for AH/ESP/IPCOMP */ 248 ipsec_common_input(m, offset, 249 offsetof(struct ip, ip_p), AF_INET, proto); 250 return (EINPROGRESS); /* mbuf consumed by IPsec */ 251 default: 252 /* 253 * Protocols with further headers get their IPsec treatment 254 * within the protocol specific processing. 255 */ 256 switch (proto) { 257 case IPPROTO_ICMP: 258 case IPPROTO_IGMP: 259 case IPPROTO_IPV4: 260 case IPPROTO_IPV6: 261 case IPPROTO_RSVP: 262 case IPPROTO_GRE: 263 case IPPROTO_MOBILE: 264 case IPPROTO_ETHERIP: 265 case IPPROTO_PIM: 266 case IPPROTO_SCTP: 267 break; 268 default: 269 return (0); 270 } 271 }; 272 /* 273 * Enforce IPsec policy checking if we are seeing last header. 274 */ 275 if (ipsec4_in_reject(m, NULL) != 0) { 276 /* Forbidden by inbound security policy */ 277 m_freem(m); 278 return (EACCES); 279 } 280 return (0); 281 } 282 283 int 284 ipsec4_ctlinput(ipsec_ctlinput_param_t param) 285 { 286 struct icmp *icp = param.icmp; 287 struct ip *ip = &icp->icmp_ip; 288 struct sockaddr_in icmpsrc = { 289 .sin_len = sizeof(struct sockaddr_in), 290 .sin_family = AF_INET, 291 .sin_addr = ip->ip_dst, 292 }; 293 struct in_conninfo inc; 294 struct secasvar *sav; 295 uint32_t pmtu, spi; 296 uint32_t max_pmtu; 297 uint8_t proto; 298 299 pmtu = ntohs(icp->icmp_nextmtu); 300 301 if (pmtu < V_ip4_ipsec_min_pmtu) 302 return (EINVAL); 303 304 proto = ip->ip_p; 305 if (proto != IPPROTO_ESP && proto != IPPROTO_AH && 306 proto != IPPROTO_IPCOMP) 307 return (EINVAL); 308 309 memcpy(&spi, (caddr_t)ip + (ip->ip_hl << 2), sizeof(spi)); 310 sav = key_allocsa((union sockaddr_union *)&icmpsrc, proto, spi); 311 if (sav == NULL) 312 return (ENOENT); 313 314 key_freesav(&sav); 315 316 memset(&inc, 0, sizeof(inc)); 317 inc.inc_faddr = ip->ip_dst; 318 319 /* Update pmtu only if its smaller than the current one. */ 320 max_pmtu = tcp_hc_getmtu(&inc); 321 if (max_pmtu == 0) 322 max_pmtu = tcp_maxmtu(&inc, NULL); 323 324 if (pmtu < max_pmtu) 325 tcp_hc_updatemtu(&inc, pmtu); 326 327 return (0); 328 } 329 330 /* 331 * IPsec input callback for INET protocols. 332 * This routine is called as the transform callback. 333 * Takes care of filtering and other sanity checks on 334 * the processed packet. 335 */ 336 int 337 ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, 338 int protoff) 339 { 340 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]); 341 struct epoch_tracker et; 342 struct ipsec_ctx_data ctx; 343 struct xform_history *xh; 344 struct secasindex *saidx; 345 struct m_tag *mtag; 346 struct ip *ip; 347 int error, prot, af, sproto, isr_prot; 348 349 IPSEC_ASSERT(sav != NULL, ("null SA")); 350 IPSEC_ASSERT(sav->sah != NULL, ("null SAH")); 351 saidx = &sav->sah->saidx; 352 af = saidx->dst.sa.sa_family; 353 IPSEC_ASSERT(af == AF_INET, ("unexpected af %u", af)); 354 sproto = saidx->proto; 355 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 356 sproto == IPPROTO_IPCOMP, 357 ("unexpected security protocol %u", sproto)); 358 359 if (skip != 0) { 360 /* 361 * Fix IPv4 header 362 */ 363 if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) { 364 DPRINTF(("%s: processing failed for SA %s/%08lx\n", 365 __func__, ipsec_address(&sav->sah->saidx.dst, 366 buf, sizeof(buf)), (u_long) ntohl(sav->spi))); 367 IPSEC_ISTAT(sproto, hdrops); 368 error = ENOBUFS; 369 goto bad_noepoch; 370 } 371 372 ip = mtod(m, struct ip *); 373 ip->ip_len = htons(m->m_pkthdr.len); 374 ip->ip_sum = 0; 375 ip->ip_sum = in_cksum(m, ip->ip_hl << 2); 376 } else { 377 ip = mtod(m, struct ip *); 378 } 379 prot = ip->ip_p; 380 /* 381 * Check that we have NAT-T enabled and apply transport mode 382 * decapsulation NAT procedure (RFC3948). 383 * Do this before invoking into the PFIL. 384 */ 385 if (sav->natt != NULL && 386 (prot == IPPROTO_UDP || prot == IPPROTO_TCP)) 387 udp_ipsec_adjust_cksum(m, sav, prot, skip); 388 389 /* 390 * Needed for ipsec_run_hooks and netisr_queue_src 391 */ 392 NET_EPOCH_ENTER(et); 393 394 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, AF_INET, IPSEC_ENC_BEFORE); 395 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) 396 goto bad; 397 ip = mtod(m, struct ip *); /* update pointer */ 398 399 /* IP-in-IP encapsulation */ 400 if (prot == IPPROTO_IPIP && 401 saidx->mode != IPSEC_MODE_TRANSPORT) { 402 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { 403 IPSEC_ISTAT(sproto, hdrops); 404 error = EINVAL; 405 goto bad; 406 } 407 /* enc0: strip outer IPv4 header */ 408 m_striphdr(m, 0, ip->ip_hl << 2); 409 } 410 #ifdef INET6 411 /* IPv6-in-IP encapsulation. */ 412 else if (prot == IPPROTO_IPV6 && 413 saidx->mode != IPSEC_MODE_TRANSPORT) { 414 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { 415 IPSEC_ISTAT(sproto, hdrops); 416 error = EINVAL; 417 goto bad; 418 } 419 /* enc0: strip IPv4 header, keep IPv6 header only */ 420 m_striphdr(m, 0, ip->ip_hl << 2); 421 } 422 #endif /* INET6 */ 423 else if (prot != IPPROTO_IPV6 && saidx->mode == IPSEC_MODE_ANY) { 424 /* 425 * When mode is wildcard, inner protocol is IPv6 and 426 * we have no INET6 support - drop this packet a bit later. 427 * In other cases we assume transport mode. Set prot to 428 * correctly choose netisr. 429 */ 430 prot = IPPROTO_IPIP; 431 } 432 433 /* 434 * Record what we've done to the packet (under what SA it was 435 * processed). 436 */ 437 if (sproto != IPPROTO_IPCOMP) { 438 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 439 sizeof(struct xform_history), M_NOWAIT); 440 if (mtag == NULL) { 441 DPRINTF(("%s: failed to get tag\n", __func__)); 442 IPSEC_ISTAT(sproto, hdrops); 443 error = ENOMEM; 444 goto bad; 445 } 446 447 xh = (struct xform_history *)(mtag + 1); 448 bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len); 449 xh->spi = sav->spi; 450 xh->proto = sproto; 451 xh->mode = saidx->mode; 452 m_tag_prepend(m, mtag); 453 } 454 455 key_sa_recordxfer(sav, m); /* record data transfer */ 456 457 /* 458 * In transport mode requeue decrypted mbuf back to IPv4 protocol 459 * handler. This is necessary to correctly expose rcvif. 460 */ 461 if (saidx->mode == IPSEC_MODE_TRANSPORT) 462 prot = IPPROTO_IPIP; 463 /* 464 * Re-dispatch via software interrupt. 465 */ 466 switch (prot) { 467 case IPPROTO_IPIP: 468 isr_prot = NETISR_IP; 469 af = AF_INET; 470 break; 471 #ifdef INET6 472 case IPPROTO_IPV6: 473 isr_prot = NETISR_IPV6; 474 af = AF_INET6; 475 break; 476 #endif 477 default: 478 DPRINTF(("%s: cannot handle inner ip proto %d\n", 479 __func__, prot)); 480 IPSEC_ISTAT(sproto, nopf); 481 error = EPFNOSUPPORT; 482 goto bad; 483 } 484 485 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER); 486 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) 487 goto bad; 488 489 /* Handle virtual tunneling interfaces */ 490 if (saidx->mode == IPSEC_MODE_TUNNEL) 491 error = ipsec_if_input(m, sav, af); 492 if (error == 0) { 493 error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m); 494 if (error) { 495 IPSEC_ISTAT(sproto, qfull); 496 DPRINTF(("%s: queue full; proto %u packet dropped\n", 497 __func__, sproto)); 498 } 499 } 500 NET_EPOCH_EXIT(et); 501 key_freesav(&sav); 502 return (error); 503 bad: 504 NET_EPOCH_EXIT(et); 505 bad_noepoch: 506 key_freesav(&sav); 507 if (m != NULL) 508 m_freem(m); 509 return (error); 510 } 511 #endif /* INET */ 512 513 #ifdef INET6 514 static bool 515 ipsec6_lasthdr(int proto) 516 { 517 518 switch (proto) { 519 case IPPROTO_IPV4: 520 case IPPROTO_IPV6: 521 case IPPROTO_GRE: 522 case IPPROTO_ICMPV6: 523 case IPPROTO_ETHERIP: 524 case IPPROTO_PIM: 525 case IPPROTO_SCTP: 526 return (true); 527 default: 528 return (false); 529 }; 530 } 531 532 /* 533 * IPSEC_INPUT() method implementation for IPv6. 534 * 0 - Permitted by inbound security policy for further processing. 535 * EACCES - Forbidden by inbound security policy. 536 * EINPROGRESS - consumed by IPsec. 537 */ 538 int 539 ipsec6_input(struct mbuf *m, int offset, int proto) 540 { 541 542 switch (proto) { 543 case IPPROTO_AH: 544 case IPPROTO_ESP: 545 case IPPROTO_IPCOMP: 546 /* Do inbound IPsec processing for AH/ESP/IPCOMP */ 547 ipsec_common_input(m, offset, 548 offsetof(struct ip6_hdr, ip6_nxt), AF_INET6, proto); 549 return (EINPROGRESS); /* mbuf consumed by IPsec */ 550 default: 551 /* 552 * Protocols with further headers get their IPsec treatment 553 * within the protocol specific processing. 554 */ 555 if (!ipsec6_lasthdr(proto)) 556 return (0); 557 /* FALLTHROUGH */ 558 }; 559 /* 560 * Enforce IPsec policy checking if we are seeing last header. 561 */ 562 if (ipsec6_in_reject(m, NULL) != 0) { 563 /* Forbidden by inbound security policy */ 564 m_freem(m); 565 return (EACCES); 566 } 567 return (0); 568 } 569 570 int 571 ipsec6_ctlinput(ipsec_ctlinput_param_t param) 572 { 573 return (0); 574 } 575 576 extern ipproto_input_t *ip6_protox[]; 577 578 /* 579 * IPsec input callback, called by the transform callback. Takes care of 580 * filtering and other sanity checks on the processed packet. 581 */ 582 int 583 ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, 584 int protoff) 585 { 586 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]); 587 struct epoch_tracker et; 588 struct ipsec_ctx_data ctx; 589 struct xform_history *xh; 590 struct secasindex *saidx; 591 struct ip6_hdr *ip6; 592 struct m_tag *mtag; 593 int prot, af, sproto; 594 int nxt, isr_prot; 595 int error, nest; 596 uint8_t nxt8; 597 598 IPSEC_ASSERT(sav != NULL, ("null SA")); 599 IPSEC_ASSERT(sav->sah != NULL, ("null SAH")); 600 saidx = &sav->sah->saidx; 601 af = saidx->dst.sa.sa_family; 602 IPSEC_ASSERT(af == AF_INET6, ("unexpected af %u", af)); 603 sproto = saidx->proto; 604 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 605 sproto == IPPROTO_IPCOMP, 606 ("unexpected security protocol %u", sproto)); 607 608 NET_EPOCH_ENTER(et); 609 610 /* Fix IPv6 header */ 611 if (m->m_len < sizeof(struct ip6_hdr) && 612 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 613 DPRINTF(("%s: processing failed for SA %s/%08lx\n", 614 __func__, ipsec_address(&sav->sah->saidx.dst, buf, 615 sizeof(buf)), (u_long) ntohl(sav->spi))); 616 617 IPSEC_ISTAT(sproto, hdrops); 618 error = EACCES; 619 goto bad; 620 } 621 622 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_BEFORE); 623 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) 624 goto bad; 625 626 ip6 = mtod(m, struct ip6_hdr *); 627 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr)); 628 629 /* Save protocol */ 630 m_copydata(m, protoff, 1, &nxt8); 631 prot = nxt8; 632 633 /* IPv6-in-IP encapsulation */ 634 if (prot == IPPROTO_IPV6 && 635 saidx->mode != IPSEC_MODE_TRANSPORT) { 636 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { 637 IPSEC_ISTAT(sproto, hdrops); 638 error = EINVAL; 639 goto bad; 640 } 641 /* ip6n will now contain the inner IPv6 header. */ 642 m_striphdr(m, 0, skip); 643 skip = 0; 644 } 645 #ifdef INET 646 /* IP-in-IP encapsulation */ 647 else if (prot == IPPROTO_IPIP && 648 saidx->mode != IPSEC_MODE_TRANSPORT) { 649 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { 650 IPSEC_ISTAT(sproto, hdrops); 651 error = EINVAL; 652 goto bad; 653 } 654 /* ipn will now contain the inner IPv4 header */ 655 m_striphdr(m, 0, skip); 656 skip = 0; 657 } 658 #endif /* INET */ 659 else { 660 prot = IPPROTO_IPV6; /* for correct BPF processing */ 661 } 662 663 /* 664 * Record what we've done to the packet (under what SA it was 665 * processed). 666 */ 667 if (sproto != IPPROTO_IPCOMP) { 668 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 669 sizeof(struct xform_history), M_NOWAIT); 670 if (mtag == NULL) { 671 DPRINTF(("%s: failed to get tag\n", __func__)); 672 IPSEC_ISTAT(sproto, hdrops); 673 error = ENOMEM; 674 goto bad; 675 } 676 677 xh = (struct xform_history *)(mtag + 1); 678 bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len); 679 xh->spi = sav->spi; 680 xh->proto = sproto; 681 xh->mode = saidx->mode; 682 m_tag_prepend(m, mtag); 683 } 684 685 key_sa_recordxfer(sav, m); 686 687 #ifdef INET 688 if (prot == IPPROTO_IPIP) 689 af = AF_INET; 690 else 691 #endif 692 af = AF_INET6; 693 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER); 694 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) 695 goto bad; 696 if (skip == 0) { 697 /* 698 * We stripped outer IPv6 header. 699 * Now we should requeue decrypted packet via netisr. 700 */ 701 switch (prot) { 702 #ifdef INET 703 case IPPROTO_IPIP: 704 isr_prot = NETISR_IP; 705 break; 706 #endif 707 case IPPROTO_IPV6: 708 isr_prot = NETISR_IPV6; 709 break; 710 default: 711 DPRINTF(("%s: cannot handle inner ip proto %d\n", 712 __func__, prot)); 713 IPSEC_ISTAT(sproto, nopf); 714 error = EPFNOSUPPORT; 715 goto bad; 716 } 717 /* Handle virtual tunneling interfaces */ 718 if (saidx->mode == IPSEC_MODE_TUNNEL) 719 error = ipsec_if_input(m, sav, af); 720 if (error == 0) { 721 error = netisr_queue_src(isr_prot, 722 (uintptr_t)sav->spi, m); 723 if (error) { 724 IPSEC_ISTAT(sproto, qfull); 725 DPRINTF(("%s: queue full; proto %u packet" 726 " dropped\n", __func__, sproto)); 727 } 728 } 729 NET_EPOCH_EXIT(et); 730 key_freesav(&sav); 731 return (error); 732 } 733 /* 734 * See the end of ip6_input for this logic. 735 * IPPROTO_IPV[46] case will be processed just like other ones 736 */ 737 nest = 0; 738 nxt = nxt8; 739 while (nxt != IPPROTO_DONE) { 740 if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) { 741 IP6STAT_INC(ip6s_toomanyhdr); 742 error = EINVAL; 743 goto bad; 744 } 745 746 /* 747 * Protection against faulty packet - there should be 748 * more sanity checks in header chain processing. 749 */ 750 if (m->m_pkthdr.len < skip) { 751 IP6STAT_INC(ip6s_tooshort); 752 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 753 error = EINVAL; 754 goto bad; 755 } 756 /* 757 * Enforce IPsec policy checking if we are seeing last header. 758 * note that we do not visit this with protocols with pcb layer 759 * code - like udp/tcp/raw ip. 760 */ 761 if (ipsec6_lasthdr(nxt) && ipsec6_in_reject(m, NULL)) { 762 error = EINVAL; 763 goto bad; 764 } 765 nxt = ip6_protox[nxt](&m, &skip, nxt); 766 } 767 NET_EPOCH_EXIT(et); 768 key_freesav(&sav); 769 return (0); 770 bad: 771 NET_EPOCH_EXIT(et); 772 key_freesav(&sav); 773 if (m) 774 m_freem(m); 775 return (error); 776 } 777 #endif /* INET6 */ 778