xref: /freebsd/sys/netipsec/ipsec_input.c (revision b077aed33b7b6aefca7b17ddb250cf521f938613)
1 /*	$OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $	*/
2 /*-
3  * The authors of this code are John Ioannidis (ji@tla.org),
4  * Angelos D. Keromytis (kermit@csd.uch.gr) and
5  * Niels Provos (provos@physnet.uni-hamburg.de).
6  *
7  * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
8  * in November 1995.
9  *
10  * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
11  * by Angelos D. Keromytis.
12  *
13  * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
14  * and Niels Provos.
15  *
16  * Additional features in 1999 by Angelos D. Keromytis.
17  *
18  * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
19  * Angelos D. Keromytis and Niels Provos.
20  * Copyright (c) 2001, Angelos D. Keromytis.
21  * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org>
22  *
23  * Permission to use, copy, and modify this software with or without fee
24  * is hereby granted, provided that this entire notice is included in
25  * all copies of any software which is or includes a copy or
26  * modification of this software.
27  * You may use this code under the GNU public license if you so wish. Please
28  * contribute changes back to the authors under this freer than GPL license
29  * so that we may further the use of strong encryption without limitations to
30  * all.
31  *
32  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
33  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
34  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
35  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
36  * PURPOSE.
37  */
38 
39 /*
40  * IPsec input processing.
41  */
42 
43 #include <sys/cdefs.h>
44 __FBSDID("$FreeBSD$");
45 
46 #include "opt_inet.h"
47 #include "opt_inet6.h"
48 #include "opt_ipsec.h"
49 
50 #include <sys/param.h>
51 #include <sys/systm.h>
52 #include <sys/malloc.h>
53 #include <sys/mbuf.h>
54 #include <sys/domain.h>
55 #include <sys/protosw.h>
56 #include <sys/socket.h>
57 #include <sys/errno.h>
58 #include <sys/hhook.h>
59 #include <sys/syslog.h>
60 
61 #include <net/if.h>
62 #include <net/if_var.h>
63 #include <net/if_enc.h>
64 #include <net/if_private.h>
65 #include <net/netisr.h>
66 #include <net/vnet.h>
67 
68 #include <netinet/in.h>
69 #include <netinet/in_pcb.h>
70 #include <netinet/in_systm.h>
71 #include <netinet/ip.h>
72 #include <netinet/ip_var.h>
73 #include <netinet/ip_icmp.h>
74 #include <netinet/in_var.h>
75 #include <netinet/tcp_var.h>
76 
77 #include <netinet/ip6.h>
78 #ifdef INET6
79 #include <netinet6/ip6_var.h>
80 #endif
81 #include <netinet/in_pcb.h>
82 #ifdef INET6
83 #include <netinet/icmp6.h>
84 #endif
85 
86 #include <netipsec/ipsec.h>
87 #ifdef INET6
88 #include <netipsec/ipsec6.h>
89 #endif
90 #include <netipsec/ipsec_support.h>
91 #include <netipsec/ah_var.h>
92 #include <netipsec/esp.h>
93 #include <netipsec/esp_var.h>
94 #include <netipsec/ipcomp_var.h>
95 
96 #include <netipsec/key.h>
97 #include <netipsec/keydb.h>
98 #include <netipsec/key_debug.h>
99 
100 #include <netipsec/xform.h>
101 
102 #include <machine/in_cksum.h>
103 #include <machine/stdarg.h>
104 
105 #define	IPSEC_ISTAT(proto, name)	do {	\
106 	if ((proto) == IPPROTO_ESP)		\
107 		ESPSTAT_INC(esps_##name);	\
108 	else if ((proto) == IPPROTO_AH)		\
109 		AHSTAT_INC(ahs_##name);		\
110 	else					\
111 		IPCOMPSTAT_INC(ipcomps_##name);	\
112 } while (0)
113 
114 /*
115  * ipsec_common_input gets called when an IPsec-protected packet
116  * is received by IPv4 or IPv6.  Its job is to find the right SA
117  * and call the appropriate transform.  The transform callback
118  * takes care of further processing (like ingress filtering).
119  */
120 static int
121 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
122 {
123 	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
124 	union sockaddr_union dst_address;
125 	struct secasvar *sav;
126 	uint32_t spi;
127 	int error;
128 
129 	IPSEC_ISTAT(sproto, input);
130 
131 	IPSEC_ASSERT(m != NULL, ("null packet"));
132 
133 	IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
134 		sproto == IPPROTO_IPCOMP,
135 		("unexpected security protocol %u", sproto));
136 
137 	if ((sproto == IPPROTO_ESP && !V_esp_enable) ||
138 	    (sproto == IPPROTO_AH && !V_ah_enable) ||
139 	    (sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) {
140 		m_freem(m);
141 		IPSEC_ISTAT(sproto, pdrops);
142 		return EOPNOTSUPP;
143 	}
144 
145 	if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) {
146 		m_freem(m);
147 		IPSEC_ISTAT(sproto, hdrops);
148 		DPRINTF(("%s: packet too small\n", __func__));
149 		return EINVAL;
150 	}
151 
152 	/* Retrieve the SPI from the relevant IPsec header */
153 	if (sproto == IPPROTO_ESP)
154 		m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi);
155 	else if (sproto == IPPROTO_AH)
156 		m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t),
157 		    (caddr_t) &spi);
158 	else if (sproto == IPPROTO_IPCOMP) {
159 		u_int16_t cpi;
160 		m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t),
161 		    (caddr_t) &cpi);
162 		spi = ntohl(htons(cpi));
163 	}
164 
165 	/*
166 	 * Find the SA and (indirectly) call the appropriate
167 	 * kernel crypto routine. The resulting mbuf chain is a valid
168 	 * IP packet ready to go through input processing.
169 	 */
170 	bzero(&dst_address, sizeof (dst_address));
171 	dst_address.sa.sa_family = af;
172 	switch (af) {
173 #ifdef INET
174 	case AF_INET:
175 		dst_address.sin.sin_len = sizeof(struct sockaddr_in);
176 		m_copydata(m, offsetof(struct ip, ip_dst),
177 		    sizeof(struct in_addr),
178 		    (caddr_t) &dst_address.sin.sin_addr);
179 		break;
180 #endif /* INET */
181 #ifdef INET6
182 	case AF_INET6:
183 		dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6);
184 		m_copydata(m, offsetof(struct ip6_hdr, ip6_dst),
185 		    sizeof(struct in6_addr),
186 		    (caddr_t) &dst_address.sin6.sin6_addr);
187 		/* We keep addresses in SADB without embedded scope id */
188 		if (IN6_IS_SCOPE_LINKLOCAL(&dst_address.sin6.sin6_addr)) {
189 			/* XXX: sa6_recoverscope() */
190 			dst_address.sin6.sin6_scope_id =
191 			    ntohs(dst_address.sin6.sin6_addr.s6_addr16[1]);
192 			dst_address.sin6.sin6_addr.s6_addr16[1] = 0;
193 		}
194 		break;
195 #endif /* INET6 */
196 	default:
197 		DPRINTF(("%s: unsupported protocol family %u\n", __func__, af));
198 		m_freem(m);
199 		IPSEC_ISTAT(sproto, nopf);
200 		return EPFNOSUPPORT;
201 	}
202 
203 	/* NB: only pass dst since key_allocsa follows RFC2401 */
204 	sav = key_allocsa(&dst_address, sproto, spi);
205 	if (sav == NULL) {
206 		DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n",
207 		    __func__, ipsec_address(&dst_address, buf, sizeof(buf)),
208 		    (u_long) ntohl(spi), sproto));
209 		IPSEC_ISTAT(sproto, notdb);
210 		m_freem(m);
211 		return ENOENT;
212 	}
213 
214 	if (sav->tdb_xform == NULL) {
215 		DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n",
216 		    __func__, ipsec_address(&dst_address, buf, sizeof(buf)),
217 		    (u_long) ntohl(spi), sproto));
218 		IPSEC_ISTAT(sproto, noxform);
219 		key_freesav(&sav);
220 		m_freem(m);
221 		return ENXIO;
222 	}
223 
224 	/*
225 	 * Call appropriate transform and return -- callback takes care of
226 	 * everything else.
227 	 */
228 	error = (*sav->tdb_xform->xf_input)(m, sav, skip, protoff);
229 	return (error);
230 }
231 
232 #ifdef INET
233 /*
234  * IPSEC_INPUT() method implementation for IPv4.
235  *  0 - Permitted by inbound security policy for further processing.
236  *  EACCES - Forbidden by inbound security policy.
237  *  EINPROGRESS - consumed by IPsec.
238  */
239 int
240 ipsec4_input(struct mbuf *m, int offset, int proto)
241 {
242 
243 	switch (proto) {
244 	case IPPROTO_AH:
245 	case IPPROTO_ESP:
246 	case IPPROTO_IPCOMP:
247 		/* Do inbound IPsec processing for AH/ESP/IPCOMP */
248 		ipsec_common_input(m, offset,
249 		    offsetof(struct ip, ip_p), AF_INET, proto);
250 		return (EINPROGRESS); /* mbuf consumed by IPsec */
251 	default:
252 		/*
253 		 * Protocols with further headers get their IPsec treatment
254 		 * within the protocol specific processing.
255 		 */
256 		switch (proto) {
257 		case IPPROTO_ICMP:
258 		case IPPROTO_IGMP:
259 		case IPPROTO_IPV4:
260 		case IPPROTO_IPV6:
261 		case IPPROTO_RSVP:
262 		case IPPROTO_GRE:
263 		case IPPROTO_MOBILE:
264 		case IPPROTO_ETHERIP:
265 		case IPPROTO_PIM:
266 		case IPPROTO_SCTP:
267 			break;
268 		default:
269 			return (0);
270 		}
271 	};
272 	/*
273 	 * Enforce IPsec policy checking if we are seeing last header.
274 	 */
275 	if (ipsec4_in_reject(m, NULL) != 0) {
276 		/* Forbidden by inbound security policy */
277 		m_freem(m);
278 		return (EACCES);
279 	}
280 	return (0);
281 }
282 
283 int
284 ipsec4_ctlinput(ipsec_ctlinput_param_t param)
285 {
286 	struct icmp *icp = param.icmp;
287 	struct ip *ip = &icp->icmp_ip;
288 	struct sockaddr_in icmpsrc = {
289 		.sin_len = sizeof(struct sockaddr_in),
290 		.sin_family = AF_INET,
291 		.sin_addr = ip->ip_dst,
292 	};
293 	struct in_conninfo inc;
294 	struct secasvar *sav;
295 	uint32_t pmtu, spi;
296 	uint32_t max_pmtu;
297 	uint8_t proto;
298 
299 	pmtu = ntohs(icp->icmp_nextmtu);
300 
301 	if (pmtu < V_ip4_ipsec_min_pmtu)
302 		return (EINVAL);
303 
304 	proto = ip->ip_p;
305 	if (proto != IPPROTO_ESP && proto != IPPROTO_AH &&
306 	    proto != IPPROTO_IPCOMP)
307 		return (EINVAL);
308 
309 	memcpy(&spi, (caddr_t)ip + (ip->ip_hl << 2), sizeof(spi));
310 	sav = key_allocsa((union sockaddr_union *)&icmpsrc, proto, spi);
311 	if (sav == NULL)
312 		return (ENOENT);
313 
314 	key_freesav(&sav);
315 
316 	memset(&inc, 0, sizeof(inc));
317 	inc.inc_faddr = ip->ip_dst;
318 
319 	/* Update pmtu only if its smaller than the current one. */
320 	max_pmtu = tcp_hc_getmtu(&inc);
321 	if (max_pmtu == 0)
322 		max_pmtu = tcp_maxmtu(&inc, NULL);
323 
324 	if (pmtu < max_pmtu)
325 		tcp_hc_updatemtu(&inc, pmtu);
326 
327 	return (0);
328 }
329 
330 /*
331  * IPsec input callback for INET protocols.
332  * This routine is called as the transform callback.
333  * Takes care of filtering and other sanity checks on
334  * the processed packet.
335  */
336 int
337 ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
338     int protoff)
339 {
340 	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
341 	struct epoch_tracker et;
342 	struct ipsec_ctx_data ctx;
343 	struct xform_history *xh;
344 	struct secasindex *saidx;
345 	struct m_tag *mtag;
346 	struct ip *ip;
347 	int error, prot, af, sproto, isr_prot;
348 
349 	IPSEC_ASSERT(sav != NULL, ("null SA"));
350 	IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
351 	saidx = &sav->sah->saidx;
352 	af = saidx->dst.sa.sa_family;
353 	IPSEC_ASSERT(af == AF_INET, ("unexpected af %u", af));
354 	sproto = saidx->proto;
355 	IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
356 		sproto == IPPROTO_IPCOMP,
357 		("unexpected security protocol %u", sproto));
358 
359 	if (skip != 0) {
360 		/*
361 		 * Fix IPv4 header
362 		 */
363 		if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) {
364 			DPRINTF(("%s: processing failed for SA %s/%08lx\n",
365 			    __func__, ipsec_address(&sav->sah->saidx.dst,
366 			    buf, sizeof(buf)), (u_long) ntohl(sav->spi)));
367 			IPSEC_ISTAT(sproto, hdrops);
368 			error = ENOBUFS;
369 			goto bad_noepoch;
370 		}
371 
372 		ip = mtod(m, struct ip *);
373 		ip->ip_len = htons(m->m_pkthdr.len);
374 		ip->ip_sum = 0;
375 		ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
376 	} else {
377 		ip = mtod(m, struct ip *);
378 	}
379 	prot = ip->ip_p;
380 	/*
381 	 * Check that we have NAT-T enabled and apply transport mode
382 	 * decapsulation NAT procedure (RFC3948).
383 	 * Do this before invoking into the PFIL.
384 	 */
385 	if (sav->natt != NULL &&
386 	    (prot == IPPROTO_UDP || prot == IPPROTO_TCP))
387 		udp_ipsec_adjust_cksum(m, sav, prot, skip);
388 
389 	/*
390 	 * Needed for ipsec_run_hooks and netisr_queue_src
391 	 */
392 	NET_EPOCH_ENTER(et);
393 
394 	IPSEC_INIT_CTX(&ctx, &m, NULL, sav, AF_INET, IPSEC_ENC_BEFORE);
395 	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
396 		goto bad;
397 	ip = mtod(m, struct ip *);	/* update pointer */
398 
399 	/* IP-in-IP encapsulation */
400 	if (prot == IPPROTO_IPIP &&
401 	    saidx->mode != IPSEC_MODE_TRANSPORT) {
402 		if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
403 			IPSEC_ISTAT(sproto, hdrops);
404 			error = EINVAL;
405 			goto bad;
406 		}
407 		/* enc0: strip outer IPv4 header */
408 		m_striphdr(m, 0, ip->ip_hl << 2);
409 	}
410 #ifdef INET6
411 	/* IPv6-in-IP encapsulation. */
412 	else if (prot == IPPROTO_IPV6 &&
413 	    saidx->mode != IPSEC_MODE_TRANSPORT) {
414 		if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
415 			IPSEC_ISTAT(sproto, hdrops);
416 			error = EINVAL;
417 			goto bad;
418 		}
419 		/* enc0: strip IPv4 header, keep IPv6 header only */
420 		m_striphdr(m, 0, ip->ip_hl << 2);
421 	}
422 #endif /* INET6 */
423 	else if (prot != IPPROTO_IPV6 && saidx->mode == IPSEC_MODE_ANY) {
424 		/*
425 		 * When mode is wildcard, inner protocol is IPv6 and
426 		 * we have no INET6 support - drop this packet a bit later.
427 		 * In other cases we assume transport mode. Set prot to
428 		 * correctly choose netisr.
429 		 */
430 		prot = IPPROTO_IPIP;
431 	}
432 
433 	/*
434 	 * Record what we've done to the packet (under what SA it was
435 	 * processed).
436 	 */
437 	if (sproto != IPPROTO_IPCOMP) {
438 		mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
439 		    sizeof(struct xform_history), M_NOWAIT);
440 		if (mtag == NULL) {
441 			DPRINTF(("%s: failed to get tag\n", __func__));
442 			IPSEC_ISTAT(sproto, hdrops);
443 			error = ENOMEM;
444 			goto bad;
445 		}
446 
447 		xh = (struct xform_history *)(mtag + 1);
448 		bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len);
449 		xh->spi = sav->spi;
450 		xh->proto = sproto;
451 		xh->mode = saidx->mode;
452 		m_tag_prepend(m, mtag);
453 	}
454 
455 	key_sa_recordxfer(sav, m);		/* record data transfer */
456 
457 	/*
458 	 * In transport mode requeue decrypted mbuf back to IPv4 protocol
459 	 * handler. This is necessary to correctly expose rcvif.
460 	 */
461 	if (saidx->mode == IPSEC_MODE_TRANSPORT)
462 		prot = IPPROTO_IPIP;
463 	/*
464 	 * Re-dispatch via software interrupt.
465 	 */
466 	switch (prot) {
467 	case IPPROTO_IPIP:
468 		isr_prot = NETISR_IP;
469 		af = AF_INET;
470 		break;
471 #ifdef INET6
472 	case IPPROTO_IPV6:
473 		isr_prot = NETISR_IPV6;
474 		af = AF_INET6;
475 		break;
476 #endif
477 	default:
478 		DPRINTF(("%s: cannot handle inner ip proto %d\n",
479 			    __func__, prot));
480 		IPSEC_ISTAT(sproto, nopf);
481 		error = EPFNOSUPPORT;
482 		goto bad;
483 	}
484 
485 	IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER);
486 	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
487 		goto bad;
488 
489 	/* Handle virtual tunneling interfaces */
490 	if (saidx->mode == IPSEC_MODE_TUNNEL)
491 		error = ipsec_if_input(m, sav, af);
492 	if (error == 0) {
493 		error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m);
494 		if (error) {
495 			IPSEC_ISTAT(sproto, qfull);
496 			DPRINTF(("%s: queue full; proto %u packet dropped\n",
497 			    __func__, sproto));
498 		}
499 	}
500 	NET_EPOCH_EXIT(et);
501 	key_freesav(&sav);
502 	return (error);
503 bad:
504 	NET_EPOCH_EXIT(et);
505 bad_noepoch:
506 	key_freesav(&sav);
507 	if (m != NULL)
508 		m_freem(m);
509 	return (error);
510 }
511 #endif /* INET */
512 
513 #ifdef INET6
514 static bool
515 ipsec6_lasthdr(int proto)
516 {
517 
518 	switch (proto) {
519 	case IPPROTO_IPV4:
520 	case IPPROTO_IPV6:
521 	case IPPROTO_GRE:
522 	case IPPROTO_ICMPV6:
523 	case IPPROTO_ETHERIP:
524 	case IPPROTO_PIM:
525 	case IPPROTO_SCTP:
526 		return (true);
527 	default:
528 		return (false);
529 	};
530 }
531 
532 /*
533  * IPSEC_INPUT() method implementation for IPv6.
534  *  0 - Permitted by inbound security policy for further processing.
535  *  EACCES - Forbidden by inbound security policy.
536  *  EINPROGRESS - consumed by IPsec.
537  */
538 int
539 ipsec6_input(struct mbuf *m, int offset, int proto)
540 {
541 
542 	switch (proto) {
543 	case IPPROTO_AH:
544 	case IPPROTO_ESP:
545 	case IPPROTO_IPCOMP:
546 		/* Do inbound IPsec processing for AH/ESP/IPCOMP */
547 		ipsec_common_input(m, offset,
548 		    offsetof(struct ip6_hdr, ip6_nxt), AF_INET6, proto);
549 		return (EINPROGRESS); /* mbuf consumed by IPsec */
550 	default:
551 		/*
552 		 * Protocols with further headers get their IPsec treatment
553 		 * within the protocol specific processing.
554 		 */
555 		if (!ipsec6_lasthdr(proto))
556 			return (0);
557 		/* FALLTHROUGH */
558 	};
559 	/*
560 	 * Enforce IPsec policy checking if we are seeing last header.
561 	 */
562 	if (ipsec6_in_reject(m, NULL) != 0) {
563 		/* Forbidden by inbound security policy */
564 		m_freem(m);
565 		return (EACCES);
566 	}
567 	return (0);
568 }
569 
570 int
571 ipsec6_ctlinput(ipsec_ctlinput_param_t param)
572 {
573 	return (0);
574 }
575 
576 extern ipproto_input_t	*ip6_protox[];
577 
578 /*
579  * IPsec input callback, called by the transform callback. Takes care of
580  * filtering and other sanity checks on the processed packet.
581  */
582 int
583 ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
584     int protoff)
585 {
586 	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
587 	struct epoch_tracker et;
588 	struct ipsec_ctx_data ctx;
589 	struct xform_history *xh;
590 	struct secasindex *saidx;
591 	struct ip6_hdr *ip6;
592 	struct m_tag *mtag;
593 	int prot, af, sproto;
594 	int nxt, isr_prot;
595 	int error, nest;
596 	uint8_t nxt8;
597 
598 	IPSEC_ASSERT(sav != NULL, ("null SA"));
599 	IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
600 	saidx = &sav->sah->saidx;
601 	af = saidx->dst.sa.sa_family;
602 	IPSEC_ASSERT(af == AF_INET6, ("unexpected af %u", af));
603 	sproto = saidx->proto;
604 	IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
605 		sproto == IPPROTO_IPCOMP,
606 		("unexpected security protocol %u", sproto));
607 
608 	NET_EPOCH_ENTER(et);
609 
610 	/* Fix IPv6 header */
611 	if (m->m_len < sizeof(struct ip6_hdr) &&
612 	    (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
613 		DPRINTF(("%s: processing failed for SA %s/%08lx\n",
614 		    __func__, ipsec_address(&sav->sah->saidx.dst, buf,
615 		    sizeof(buf)), (u_long) ntohl(sav->spi)));
616 
617 		IPSEC_ISTAT(sproto, hdrops);
618 		error = EACCES;
619 		goto bad;
620 	}
621 
622 	IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_BEFORE);
623 	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
624 		goto bad;
625 
626 	ip6 = mtod(m, struct ip6_hdr *);
627 	ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
628 
629 	/* Save protocol */
630 	m_copydata(m, protoff, 1, &nxt8);
631 	prot = nxt8;
632 
633 	/* IPv6-in-IP encapsulation */
634 	if (prot == IPPROTO_IPV6 &&
635 	    saidx->mode != IPSEC_MODE_TRANSPORT) {
636 		if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
637 			IPSEC_ISTAT(sproto, hdrops);
638 			error = EINVAL;
639 			goto bad;
640 		}
641 		/* ip6n will now contain the inner IPv6 header. */
642 		m_striphdr(m, 0, skip);
643 		skip = 0;
644 	}
645 #ifdef INET
646 	/* IP-in-IP encapsulation */
647 	else if (prot == IPPROTO_IPIP &&
648 	    saidx->mode != IPSEC_MODE_TRANSPORT) {
649 		if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
650 			IPSEC_ISTAT(sproto, hdrops);
651 			error = EINVAL;
652 			goto bad;
653 		}
654 		/* ipn will now contain the inner IPv4 header */
655 		m_striphdr(m, 0, skip);
656 		skip = 0;
657 	}
658 #endif /* INET */
659 	else {
660 		prot = IPPROTO_IPV6; /* for correct BPF processing */
661 	}
662 
663 	/*
664 	 * Record what we've done to the packet (under what SA it was
665 	 * processed).
666 	 */
667 	if (sproto != IPPROTO_IPCOMP) {
668 		mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
669 		    sizeof(struct xform_history), M_NOWAIT);
670 		if (mtag == NULL) {
671 			DPRINTF(("%s: failed to get tag\n", __func__));
672 			IPSEC_ISTAT(sproto, hdrops);
673 			error = ENOMEM;
674 			goto bad;
675 		}
676 
677 		xh = (struct xform_history *)(mtag + 1);
678 		bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len);
679 		xh->spi = sav->spi;
680 		xh->proto = sproto;
681 		xh->mode = saidx->mode;
682 		m_tag_prepend(m, mtag);
683 	}
684 
685 	key_sa_recordxfer(sav, m);
686 
687 #ifdef INET
688 	if (prot == IPPROTO_IPIP)
689 		af = AF_INET;
690 	else
691 #endif
692 		af = AF_INET6;
693 	IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER);
694 	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
695 		goto bad;
696 	if (skip == 0) {
697 		/*
698 		 * We stripped outer IPv6 header.
699 		 * Now we should requeue decrypted packet via netisr.
700 		 */
701 		switch (prot) {
702 #ifdef INET
703 		case IPPROTO_IPIP:
704 			isr_prot = NETISR_IP;
705 			break;
706 #endif
707 		case IPPROTO_IPV6:
708 			isr_prot = NETISR_IPV6;
709 			break;
710 		default:
711 			DPRINTF(("%s: cannot handle inner ip proto %d\n",
712 			    __func__, prot));
713 			IPSEC_ISTAT(sproto, nopf);
714 			error = EPFNOSUPPORT;
715 			goto bad;
716 		}
717 		/* Handle virtual tunneling interfaces */
718 		if (saidx->mode == IPSEC_MODE_TUNNEL)
719 			error = ipsec_if_input(m, sav, af);
720 		if (error == 0) {
721 			error = netisr_queue_src(isr_prot,
722 			    (uintptr_t)sav->spi, m);
723 			if (error) {
724 				IPSEC_ISTAT(sproto, qfull);
725 				DPRINTF(("%s: queue full; proto %u packet"
726 				    " dropped\n", __func__, sproto));
727 			}
728 		}
729 		NET_EPOCH_EXIT(et);
730 		key_freesav(&sav);
731 		return (error);
732 	}
733 	/*
734 	 * See the end of ip6_input for this logic.
735 	 * IPPROTO_IPV[46] case will be processed just like other ones
736 	 */
737 	nest = 0;
738 	nxt = nxt8;
739 	while (nxt != IPPROTO_DONE) {
740 		if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) {
741 			IP6STAT_INC(ip6s_toomanyhdr);
742 			error = EINVAL;
743 			goto bad;
744 		}
745 
746 		/*
747 		 * Protection against faulty packet - there should be
748 		 * more sanity checks in header chain processing.
749 		 */
750 		if (m->m_pkthdr.len < skip) {
751 			IP6STAT_INC(ip6s_tooshort);
752 			in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
753 			error = EINVAL;
754 			goto bad;
755 		}
756 		/*
757 		 * Enforce IPsec policy checking if we are seeing last header.
758 		 * note that we do not visit this with protocols with pcb layer
759 		 * code - like udp/tcp/raw ip.
760 		 */
761 		if (ipsec6_lasthdr(nxt) && ipsec6_in_reject(m, NULL)) {
762 			error = EINVAL;
763 			goto bad;
764 		}
765 		nxt = ip6_protox[nxt](&m, &skip, nxt);
766 	}
767 	NET_EPOCH_EXIT(et);
768 	key_freesav(&sav);
769 	return (0);
770 bad:
771 	NET_EPOCH_EXIT(et);
772 	key_freesav(&sav);
773 	if (m)
774 		m_freem(m);
775 	return (error);
776 }
777 #endif /* INET6 */
778