xref: /freebsd/sys/netipsec/ipsec_input.c (revision ff0ba87247820afbdfdc1b307c803f7923d0e4d3)
1 /*	$FreeBSD$	*/
2 /*	$OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $	*/
3 /*-
4  * The authors of this code are John Ioannidis (ji@tla.org),
5  * Angelos D. Keromytis (kermit@csd.uch.gr) and
6  * Niels Provos (provos@physnet.uni-hamburg.de).
7  *
8  * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
9  * in November 1995.
10  *
11  * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
12  * by Angelos D. Keromytis.
13  *
14  * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
15  * and Niels Provos.
16  *
17  * Additional features in 1999 by Angelos D. Keromytis.
18  *
19  * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
20  * Angelos D. Keromytis and Niels Provos.
21  * Copyright (c) 2001, Angelos D. Keromytis.
22  *
23  * Permission to use, copy, and modify this software with or without fee
24  * is hereby granted, provided that this entire notice is included in
25  * all copies of any software which is or includes a copy or
26  * modification of this software.
27  * You may use this code under the GNU public license if you so wish. Please
28  * contribute changes back to the authors under this freer than GPL license
29  * so that we may further the use of strong encryption without limitations to
30  * all.
31  *
32  * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
33  * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
34  * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
35  * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
36  * PURPOSE.
37  */
38 
39 /*
40  * IPsec input processing.
41  */
42 
43 #include "opt_inet.h"
44 #include "opt_inet6.h"
45 #include "opt_ipsec.h"
46 #include "opt_enc.h"
47 
48 #include <sys/param.h>
49 #include <sys/systm.h>
50 #include <sys/malloc.h>
51 #include <sys/mbuf.h>
52 #include <sys/domain.h>
53 #include <sys/protosw.h>
54 #include <sys/socket.h>
55 #include <sys/errno.h>
56 #include <sys/syslog.h>
57 
58 #include <net/if.h>
59 #include <net/if_var.h>
60 #include <net/pfil.h>
61 #include <net/route.h>
62 #include <net/netisr.h>
63 #include <net/vnet.h>
64 
65 #include <netinet/in.h>
66 #include <netinet/in_systm.h>
67 #include <netinet/ip.h>
68 #include <netinet/ip_var.h>
69 #include <netinet/in_var.h>
70 
71 #include <netinet/ip6.h>
72 #ifdef INET6
73 #include <netinet6/ip6_var.h>
74 #endif
75 #include <netinet/in_pcb.h>
76 #ifdef INET6
77 #include <netinet/icmp6.h>
78 #endif
79 
80 #include <netipsec/ipsec.h>
81 #ifdef INET6
82 #include <netipsec/ipsec6.h>
83 #endif
84 #include <netipsec/ah_var.h>
85 #include <netipsec/esp.h>
86 #include <netipsec/esp_var.h>
87 #include <netipsec/ipcomp_var.h>
88 
89 #include <netipsec/key.h>
90 #include <netipsec/keydb.h>
91 
92 #include <netipsec/xform.h>
93 #include <netinet6/ip6protosw.h>
94 
95 #include <machine/in_cksum.h>
96 #include <machine/stdarg.h>
97 
98 #ifdef DEV_ENC
99 #include <net/if_enc.h>
100 #endif
101 
102 
103 #define	IPSEC_ISTAT(proto, name)	do {	\
104 	if ((proto) == IPPROTO_ESP)		\
105 		ESPSTAT_INC(esps_##name);	\
106 	else if ((proto) == IPPROTO_AH)		\
107 		AHSTAT_INC(ahs_##name);		\
108 	else					\
109 		IPCOMPSTAT_INC(ipcomps_##name);	\
110 } while (0)
111 
112 #ifdef INET
113 static void ipsec4_common_ctlinput(int, struct sockaddr *, void *, int);
114 #endif
115 
116 /*
117  * ipsec_common_input gets called when an IPsec-protected packet
118  * is received by IPv4 or IPv6.  Its job is to find the right SA
119  * and call the appropriate transform.  The transform callback
120  * takes care of further processing (like ingress filtering).
121  */
122 static int
123 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
124 {
125 	union sockaddr_union dst_address;
126 	struct secasvar *sav;
127 	u_int32_t spi;
128 	int error;
129 #ifdef INET
130 #ifdef IPSEC_NAT_T
131 	struct m_tag *tag;
132 #endif
133 #endif
134 
135 	IPSEC_ISTAT(sproto, input);
136 
137 	IPSEC_ASSERT(m != NULL, ("null packet"));
138 
139 	IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
140 		sproto == IPPROTO_IPCOMP,
141 		("unexpected security protocol %u", sproto));
142 
143 	if ((sproto == IPPROTO_ESP && !V_esp_enable) ||
144 	    (sproto == IPPROTO_AH && !V_ah_enable) ||
145 	    (sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) {
146 		m_freem(m);
147 		IPSEC_ISTAT(sproto, pdrops);
148 		return EOPNOTSUPP;
149 	}
150 
151 	if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) {
152 		m_freem(m);
153 		IPSEC_ISTAT(sproto, hdrops);
154 		DPRINTF(("%s: packet too small\n", __func__));
155 		return EINVAL;
156 	}
157 
158 	/* Retrieve the SPI from the relevant IPsec header */
159 	if (sproto == IPPROTO_ESP)
160 		m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi);
161 	else if (sproto == IPPROTO_AH)
162 		m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t),
163 		    (caddr_t) &spi);
164 	else if (sproto == IPPROTO_IPCOMP) {
165 		u_int16_t cpi;
166 		m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t),
167 		    (caddr_t) &cpi);
168 		spi = ntohl(htons(cpi));
169 	}
170 
171 	/*
172 	 * Find the SA and (indirectly) call the appropriate
173 	 * kernel crypto routine. The resulting mbuf chain is a valid
174 	 * IP packet ready to go through input processing.
175 	 */
176 	bzero(&dst_address, sizeof (dst_address));
177 	dst_address.sa.sa_family = af;
178 	switch (af) {
179 #ifdef INET
180 	case AF_INET:
181 		dst_address.sin.sin_len = sizeof(struct sockaddr_in);
182 		m_copydata(m, offsetof(struct ip, ip_dst),
183 		    sizeof(struct in_addr),
184 		    (caddr_t) &dst_address.sin.sin_addr);
185 #ifdef IPSEC_NAT_T
186 		/* Find the source port for NAT-T; see udp*_espdecap. */
187 		tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL);
188 		if (tag != NULL)
189 			dst_address.sin.sin_port = ((u_int16_t *)(tag + 1))[1];
190 #endif /* IPSEC_NAT_T */
191 		break;
192 #endif /* INET */
193 #ifdef INET6
194 	case AF_INET6:
195 		dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6);
196 		m_copydata(m, offsetof(struct ip6_hdr, ip6_dst),
197 		    sizeof(struct in6_addr),
198 		    (caddr_t) &dst_address.sin6.sin6_addr);
199 		break;
200 #endif /* INET6 */
201 	default:
202 		DPRINTF(("%s: unsupported protocol family %u\n", __func__, af));
203 		m_freem(m);
204 		IPSEC_ISTAT(sproto, nopf);
205 		return EPFNOSUPPORT;
206 	}
207 
208 	/* NB: only pass dst since key_allocsa follows RFC2401 */
209 	sav = KEY_ALLOCSA(&dst_address, sproto, spi);
210 	if (sav == NULL) {
211 		DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n",
212 			  __func__, ipsec_address(&dst_address),
213 			  (u_long) ntohl(spi), sproto));
214 		IPSEC_ISTAT(sproto, notdb);
215 		m_freem(m);
216 		return ENOENT;
217 	}
218 
219 	if (sav->tdb_xform == NULL) {
220 		DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n",
221 			 __func__, ipsec_address(&dst_address),
222 			 (u_long) ntohl(spi), sproto));
223 		IPSEC_ISTAT(sproto, noxform);
224 		KEY_FREESAV(&sav);
225 		m_freem(m);
226 		return ENXIO;
227 	}
228 
229 	/*
230 	 * Call appropriate transform and return -- callback takes care of
231 	 * everything else.
232 	 */
233 	error = (*sav->tdb_xform->xf_input)(m, sav, skip, protoff);
234 	KEY_FREESAV(&sav);
235 	return error;
236 }
237 
238 #ifdef INET
239 /*
240  * Common input handler for IPv4 AH, ESP, and IPCOMP.
241  */
242 int
243 ipsec4_common_input(struct mbuf *m, ...)
244 {
245 	va_list ap;
246 	int off, nxt;
247 
248 	va_start(ap, m);
249 	off = va_arg(ap, int);
250 	nxt = va_arg(ap, int);
251 	va_end(ap);
252 
253 	return ipsec_common_input(m, off, offsetof(struct ip, ip_p),
254 				  AF_INET, nxt);
255 }
256 
257 int
258 ah4_input(struct mbuf **mp, int *offp, int proto)
259 {
260 	struct mbuf *m;
261 	int off;
262 
263 	m = *mp;
264 	off = *offp;
265 	*mp = NULL;
266 
267 	ipsec4_common_input(m, off, IPPROTO_AH);
268 	return (IPPROTO_DONE);
269 }
270 void
271 ah4_ctlinput(int cmd, struct sockaddr *sa, void *v)
272 {
273 	if (sa->sa_family == AF_INET &&
274 	    sa->sa_len == sizeof(struct sockaddr_in))
275 		ipsec4_common_ctlinput(cmd, sa, v, IPPROTO_AH);
276 }
277 
278 int
279 esp4_input(struct mbuf **mp, int *offp, int proto)
280 {
281 	struct mbuf *m;
282 	int off;
283 
284 	m = *mp;
285 	off = *offp;
286 	mp = NULL;
287 
288 	ipsec4_common_input(m, off, IPPROTO_ESP);
289 	return (IPPROTO_DONE);
290 }
291 
292 void
293 esp4_ctlinput(int cmd, struct sockaddr *sa, void *v)
294 {
295 	if (sa->sa_family == AF_INET &&
296 	    sa->sa_len == sizeof(struct sockaddr_in))
297 		ipsec4_common_ctlinput(cmd, sa, v, IPPROTO_ESP);
298 }
299 
300 int
301 ipcomp4_input(struct mbuf **mp, int *offp, int proto)
302 {
303 	struct mbuf *m;
304 	int off;
305 
306 	m = *mp;
307 	off = *offp;
308 	mp = NULL;
309 
310 	ipsec4_common_input(m, off, IPPROTO_IPCOMP);
311 	return (IPPROTO_DONE);
312 }
313 
314 /*
315  * IPsec input callback for INET protocols.
316  * This routine is called as the transform callback.
317  * Takes care of filtering and other sanity checks on
318  * the processed packet.
319  */
320 int
321 ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
322 			int skip, int protoff, struct m_tag *mt)
323 {
324 	int prot, af, sproto, isr_prot;
325 	struct ip *ip;
326 	struct m_tag *mtag;
327 	struct tdb_ident *tdbi;
328 	struct secasindex *saidx;
329 	int error;
330 #ifdef INET6
331 #ifdef notyet
332 	char ip6buf[INET6_ADDRSTRLEN];
333 #endif
334 #endif
335 
336 	IPSEC_ASSERT(m != NULL, ("null mbuf"));
337 	IPSEC_ASSERT(sav != NULL, ("null SA"));
338 	IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
339 	saidx = &sav->sah->saidx;
340 	af = saidx->dst.sa.sa_family;
341 	IPSEC_ASSERT(af == AF_INET, ("unexpected af %u", af));
342 	sproto = saidx->proto;
343 	IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
344 		sproto == IPPROTO_IPCOMP,
345 		("unexpected security protocol %u", sproto));
346 
347 	/* Sanity check */
348 	if (m == NULL) {
349 		DPRINTF(("%s: null mbuf", __func__));
350 		IPSEC_ISTAT(sproto, badkcr);
351 		KEY_FREESAV(&sav);
352 		return EINVAL;
353 	}
354 
355 	if (skip != 0) {
356 		/*
357 		 * Fix IPv4 header
358 		 * XXXGL: do we need this entire block?
359 		 */
360 		if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) {
361 			DPRINTF(("%s: processing failed for SA %s/%08lx\n",
362 			    __func__, ipsec_address(&sav->sah->saidx.dst),
363 			    (u_long) ntohl(sav->spi)));
364 			IPSEC_ISTAT(sproto, hdrops);
365 			error = ENOBUFS;
366 			goto bad;
367 		}
368 
369 		ip = mtod(m, struct ip *);
370 		ip->ip_len = htons(m->m_pkthdr.len);
371 		ip->ip_sum = 0;
372 		ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
373 	} else {
374 		ip = mtod(m, struct ip *);
375 	}
376 	prot = ip->ip_p;
377 
378 #ifdef DEV_ENC
379 	if_inc_counter(encif, IFCOUNTER_IPACKETS, 1);
380 	if_inc_counter(encif, IFCOUNTER_IBYTES, m->m_pkthdr.len);
381 
382 	/* Pass the mbuf to enc0 for bpf and pfil. */
383 	ipsec_bpf(m, sav, AF_INET, ENC_IN|ENC_BEFORE);
384 	if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0)
385 		return (error);
386 #endif /* DEV_ENC */
387 
388 	/* IP-in-IP encapsulation */
389 	if (prot == IPPROTO_IPIP &&
390 	    saidx->mode != IPSEC_MODE_TRANSPORT) {
391 
392 		if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
393 			IPSEC_ISTAT(sproto, hdrops);
394 			error = EINVAL;
395 			goto bad;
396 		}
397 		/* enc0: strip outer IPv4 header */
398 		m_striphdr(m, 0, ip->ip_hl << 2);
399 
400 #ifdef notyet
401 		/* XXX PROXY address isn't recorded in SAH */
402 		/*
403 		 * Check that the inner source address is the same as
404 		 * the proxy address, if available.
405 		 */
406 		if ((saidx->proxy.sa.sa_family == AF_INET &&
407 		    saidx->proxy.sin.sin_addr.s_addr !=
408 		    INADDR_ANY &&
409 		    ipn.ip_src.s_addr !=
410 		    saidx->proxy.sin.sin_addr.s_addr) ||
411 		    (saidx->proxy.sa.sa_family != AF_INET &&
412 			saidx->proxy.sa.sa_family != 0)) {
413 
414 			DPRINTF(("%s: inner source address %s doesn't "
415 			    "correspond to expected proxy source %s, "
416 			    "SA %s/%08lx\n", __func__,
417 			    inet_ntoa4(ipn.ip_src),
418 			    ipsp_address(saidx->proxy),
419 			    ipsp_address(saidx->dst),
420 			    (u_long) ntohl(sav->spi)));
421 
422 			IPSEC_ISTAT(sproto, pdrops);
423 			error = EACCES;
424 			goto bad;
425 		}
426 #endif /* notyet */
427 	}
428 #ifdef INET6
429 	/* IPv6-in-IP encapsulation. */
430 	else if (prot == IPPROTO_IPV6 &&
431 	    saidx->mode != IPSEC_MODE_TRANSPORT) {
432 
433 		if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
434 			IPSEC_ISTAT(sproto, hdrops);
435 			error = EINVAL;
436 			goto bad;
437 		}
438 		/* enc0: strip IPv4 header, keep IPv6 header only */
439 		m_striphdr(m, 0, ip->ip_hl << 2);
440 #ifdef notyet
441 		/*
442 		 * Check that the inner source address is the same as
443 		 * the proxy address, if available.
444 		 */
445 		if ((saidx->proxy.sa.sa_family == AF_INET6 &&
446 		    !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) &&
447 		    !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src,
448 			&saidx->proxy.sin6.sin6_addr)) ||
449 		    (saidx->proxy.sa.sa_family != AF_INET6 &&
450 			saidx->proxy.sa.sa_family != 0)) {
451 
452 			DPRINTF(("%s: inner source address %s doesn't "
453 			    "correspond to expected proxy source %s, "
454 			    "SA %s/%08lx\n", __func__,
455 			    ip6_sprintf(ip6buf, &ip6n.ip6_src),
456 			    ipsec_address(&saidx->proxy),
457 			    ipsec_address(&saidx->dst),
458 			    (u_long) ntohl(sav->spi)));
459 
460 			IPSEC_ISTAT(sproto, pdrops);
461 			error = EACCES;
462 			goto bad;
463 		}
464 #endif /* notyet */
465 	}
466 #endif /* INET6 */
467 	else if (prot != IPPROTO_IPV6 && saidx->mode == IPSEC_MODE_ANY) {
468 		/*
469 		 * When mode is wildcard, inner protocol is IPv6 and
470 		 * we have no INET6 support - drop this packet a bit later.
471 		 * In other cases we assume transport mode and outer
472 		 * header was already stripped in xform_xxx_cb.
473 		 */
474 		prot = IPPROTO_IPIP;
475 	}
476 
477 	/*
478 	 * Record what we've done to the packet (under what SA it was
479 	 * processed). If we've been passed an mtag, it means the packet
480 	 * was already processed by an ethernet/crypto combo card and
481 	 * thus has a tag attached with all the right information, but
482 	 * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to
483 	 * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type.
484 	 */
485 	if (mt == NULL && sproto != IPPROTO_IPCOMP) {
486 		mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
487 		    sizeof(struct tdb_ident), M_NOWAIT);
488 		if (mtag == NULL) {
489 			DPRINTF(("%s: failed to get tag\n", __func__));
490 			IPSEC_ISTAT(sproto, hdrops);
491 			error = ENOMEM;
492 			goto bad;
493 		}
494 
495 		tdbi = (struct tdb_ident *)(mtag + 1);
496 		bcopy(&saidx->dst, &tdbi->dst, saidx->dst.sa.sa_len);
497 		tdbi->proto = sproto;
498 		tdbi->spi = sav->spi;
499 		/* Cache those two for enc(4) in xform_ipip. */
500 		tdbi->alg_auth = sav->alg_auth;
501 		tdbi->alg_enc = sav->alg_enc;
502 
503 		m_tag_prepend(m, mtag);
504 	} else if (mt != NULL) {
505 		mt->m_tag_id = PACKET_TAG_IPSEC_IN_DONE;
506 		/* XXX do we need to mark m_flags??? */
507 	}
508 
509 	key_sa_recordxfer(sav, m);		/* record data transfer */
510 
511 	/*
512 	 * In transport mode requeue decrypted mbuf back to IPv4 protocol
513 	 * handler. This is necessary to correctly expose rcvif.
514 	 */
515 	if (saidx->mode == IPSEC_MODE_TRANSPORT)
516 		prot = IPPROTO_IPIP;
517 #ifdef DEV_ENC
518 	/*
519 	 * Pass the mbuf to enc0 for bpf and pfil.
520 	 */
521 	if (prot == IPPROTO_IPIP)
522 		ipsec_bpf(m, sav, AF_INET, ENC_IN|ENC_AFTER);
523 #ifdef INET6
524 	if (prot == IPPROTO_IPV6)
525 		ipsec_bpf(m, sav, AF_INET6, ENC_IN|ENC_AFTER);
526 #endif
527 
528 	if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_AFTER)) != 0)
529 		return (error);
530 #endif /* DEV_ENC */
531 
532 	/*
533 	 * Re-dispatch via software interrupt.
534 	 */
535 
536 	switch (prot) {
537 	case IPPROTO_IPIP:
538 		isr_prot = NETISR_IP;
539 		break;
540 #ifdef INET6
541 	case IPPROTO_IPV6:
542 		isr_prot = NETISR_IPV6;
543 		break;
544 #endif
545 	default:
546 		DPRINTF(("%s: cannot handle inner ip proto %d\n",
547 			    __func__, prot));
548 		IPSEC_ISTAT(sproto, nopf);
549 		error = EPFNOSUPPORT;
550 		goto bad;
551 	}
552 
553 	error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m);
554 	if (error) {
555 		IPSEC_ISTAT(sproto, qfull);
556 		DPRINTF(("%s: queue full; proto %u packet dropped\n",
557 			__func__, sproto));
558 		return error;
559 	}
560 	return 0;
561 bad:
562 	m_freem(m);
563 	return error;
564 }
565 
566 void
567 ipsec4_common_ctlinput(int cmd, struct sockaddr *sa, void *v, int proto)
568 {
569 	/* XXX nothing just yet */
570 }
571 #endif /* INET */
572 
573 #ifdef INET6
574 /* IPv6 AH wrapper. */
575 int
576 ipsec6_common_input(struct mbuf **mp, int *offp, int proto)
577 {
578 	int l = 0;
579 	int protoff;
580 	struct ip6_ext ip6e;
581 
582 	if (*offp < sizeof(struct ip6_hdr)) {
583 		DPRINTF(("%s: bad offset %u\n", __func__, *offp));
584 		return IPPROTO_DONE;
585 	} else if (*offp == sizeof(struct ip6_hdr)) {
586 		protoff = offsetof(struct ip6_hdr, ip6_nxt);
587 	} else {
588 		/* Chase down the header chain... */
589 		protoff = sizeof(struct ip6_hdr);
590 
591 		do {
592 			protoff += l;
593 			m_copydata(*mp, protoff, sizeof(ip6e),
594 			    (caddr_t) &ip6e);
595 
596 			if (ip6e.ip6e_nxt == IPPROTO_AH)
597 				l = (ip6e.ip6e_len + 2) << 2;
598 			else
599 				l = (ip6e.ip6e_len + 1) << 3;
600 			IPSEC_ASSERT(l > 0, ("l went zero or negative"));
601 		} while (protoff + l < *offp);
602 
603 		/* Malformed packet check */
604 		if (protoff + l != *offp) {
605 			DPRINTF(("%s: bad packet header chain, protoff %u, "
606 				"l %u, off %u\n", __func__, protoff, l, *offp));
607 			IPSEC_ISTAT(proto, hdrops);
608 			m_freem(*mp);
609 			*mp = NULL;
610 			return IPPROTO_DONE;
611 		}
612 		protoff += offsetof(struct ip6_ext, ip6e_nxt);
613 	}
614 	(void) ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto);
615 	return IPPROTO_DONE;
616 }
617 
618 /*
619  * IPsec input callback, called by the transform callback. Takes care of
620  * filtering and other sanity checks on the processed packet.
621  */
622 int
623 ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff,
624     struct m_tag *mt)
625 {
626 	int prot, af, sproto;
627 	struct ip6_hdr *ip6;
628 	struct m_tag *mtag;
629 	struct tdb_ident *tdbi;
630 	struct secasindex *saidx;
631 	int nxt;
632 	u_int8_t nxt8;
633 	int error, nest;
634 #ifdef notyet
635 	char ip6buf[INET6_ADDRSTRLEN];
636 #endif
637 
638 	IPSEC_ASSERT(m != NULL, ("null mbuf"));
639 	IPSEC_ASSERT(sav != NULL, ("null SA"));
640 	IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
641 	saidx = &sav->sah->saidx;
642 	af = saidx->dst.sa.sa_family;
643 	IPSEC_ASSERT(af == AF_INET6, ("unexpected af %u", af));
644 	sproto = saidx->proto;
645 	IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
646 		sproto == IPPROTO_IPCOMP,
647 		("unexpected security protocol %u", sproto));
648 
649 	/* Sanity check */
650 	if (m == NULL) {
651 		DPRINTF(("%s: null mbuf", __func__));
652 		IPSEC_ISTAT(sproto, badkcr);
653 		error = EINVAL;
654 		goto bad;
655 	}
656 
657 	/* Fix IPv6 header */
658 	if (m->m_len < sizeof(struct ip6_hdr) &&
659 	    (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
660 
661 		DPRINTF(("%s: processing failed for SA %s/%08lx\n",
662 		    __func__, ipsec_address(&sav->sah->saidx.dst),
663 		    (u_long) ntohl(sav->spi)));
664 
665 		IPSEC_ISTAT(sproto, hdrops);
666 		error = EACCES;
667 		goto bad;
668 	}
669 
670 	ip6 = mtod(m, struct ip6_hdr *);
671 	ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
672 
673 	/* Save protocol */
674 	m_copydata(m, protoff, 1, &nxt8);
675 	prot = nxt8;
676 
677 #ifdef DEV_ENC
678 	if_inc_counter(encif, IFCOUNTER_IPACKETS, 1);
679 	if_inc_counter(encif, IFCOUNTER_IBYTES, m->m_pkthdr.len);
680 
681 	/* Pass the mbuf to enc0 for bpf and pfil. */
682 	ipsec_bpf(m, sav, AF_INET6, ENC_IN|ENC_BEFORE);
683 	if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0)
684 		return (error);
685 #endif /* DEV_ENC */
686 
687 	/* IPv6-in-IP encapsulation */
688 	if (prot == IPPROTO_IPV6 &&
689 	    saidx->mode != IPSEC_MODE_TRANSPORT) {
690 		if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
691 			IPSEC_ISTAT(sproto, hdrops);
692 			error = EINVAL;
693 			goto bad;
694 		}
695 		/* ip6n will now contain the inner IPv6 header. */
696 		m_striphdr(m, 0, skip);
697 		skip = 0;
698 #ifdef notyet
699 		/*
700 		 * Check that the inner source address is the same as
701 		 * the proxy address, if available.
702 		 */
703 		if ((saidx->proxy.sa.sa_family == AF_INET6 &&
704 		    !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) &&
705 		    !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src,
706 			&saidx->proxy.sin6.sin6_addr)) ||
707 		    (saidx->proxy.sa.sa_family != AF_INET6 &&
708 			saidx->proxy.sa.sa_family != 0)) {
709 
710 			DPRINTF(("%s: inner source address %s doesn't "
711 			    "correspond to expected proxy source %s, "
712 			    "SA %s/%08lx\n", __func__,
713 			    ip6_sprintf(ip6buf, &ip6n.ip6_src),
714 			    ipsec_address(&saidx->proxy),
715 			    ipsec_address(&saidx->dst),
716 			    (u_long) ntohl(sav->spi)));
717 
718 			IPSEC_ISTAT(sproto, pdrops);
719 			error = EACCES;
720 			goto bad;
721 		}
722 #endif /* notyet */
723 	}
724 #ifdef INET
725 	/* IP-in-IP encapsulation */
726 	else if (prot == IPPROTO_IPIP &&
727 	    saidx->mode != IPSEC_MODE_TRANSPORT) {
728 		if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
729 			IPSEC_ISTAT(sproto, hdrops);
730 			error = EINVAL;
731 			goto bad;
732 		}
733 		/* ipn will now contain the inner IPv4 header */
734 	 	m_striphdr(m, 0, skip);
735 		skip = 0;
736 #ifdef notyet
737 		/*
738 		 * Check that the inner source address is the same as
739 		 * the proxy address, if available.
740 		 */
741 		if ((saidx->proxy.sa.sa_family == AF_INET &&
742 		    saidx->proxy.sin.sin_addr.s_addr != INADDR_ANY &&
743 		    ipn.ip_src.s_addr != saidx->proxy.sin.sin_addr.s_addr) ||
744 		    (saidx->proxy.sa.sa_family != AF_INET &&
745 			saidx->proxy.sa.sa_family != 0)) {
746 
747 			DPRINTF(("%s: inner source address %s doesn't "
748 			    "correspond to expected proxy source %s, "
749 			    "SA %s/%08lx\n", __func__,
750 			    inet_ntoa4(ipn.ip_src),
751 			    ipsec_address(&saidx->proxy),
752 			    ipsec_address(&saidx->dst),
753 			    (u_long) ntohl(sav->spi)));
754 
755 			IPSEC_ISTAT(sproto, pdrops);
756 			error = EACCES;
757 			goto bad;
758 		}
759 #endif /* notyet */
760 	}
761 #endif /* INET */
762 	else {
763 		prot = IPPROTO_IPV6; /* for correct BPF processing */
764 	}
765 
766 	/*
767 	 * Record what we've done to the packet (under what SA it was
768 	 * processed). If we've been passed an mtag, it means the packet
769 	 * was already processed by an ethernet/crypto combo card and
770 	 * thus has a tag attached with all the right information, but
771 	 * with a PACKET_TAG_IPSEC_IN_CRYPTO_DONE as opposed to
772 	 * PACKET_TAG_IPSEC_IN_DONE type; in that case, just change the type.
773 	 */
774 	if (mt == NULL && sproto != IPPROTO_IPCOMP) {
775 		mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
776 		    sizeof(struct tdb_ident), M_NOWAIT);
777 		if (mtag == NULL) {
778 			DPRINTF(("%s: failed to get tag\n", __func__));
779 			IPSEC_ISTAT(sproto, hdrops);
780 			error = ENOMEM;
781 			goto bad;
782 		}
783 
784 		tdbi = (struct tdb_ident *)(mtag + 1);
785 		bcopy(&saidx->dst, &tdbi->dst, sizeof(union sockaddr_union));
786 		tdbi->proto = sproto;
787 		tdbi->spi = sav->spi;
788 		/* Cache those two for enc(4) in xform_ipip. */
789 		tdbi->alg_auth = sav->alg_auth;
790 		tdbi->alg_enc = sav->alg_enc;
791 
792 		m_tag_prepend(m, mtag);
793 	} else {
794 		if (mt != NULL)
795 			mt->m_tag_id = PACKET_TAG_IPSEC_IN_DONE;
796 		/* XXX do we need to mark m_flags??? */
797 	}
798 
799 	key_sa_recordxfer(sav, m);
800 
801 #ifdef DEV_ENC
802 	/*
803 	 * Pass the mbuf to enc0 for bpf and pfil.
804 	 */
805 #ifdef INET
806 	if (prot == IPPROTO_IPIP)
807 		ipsec_bpf(m, sav, AF_INET, ENC_IN|ENC_AFTER);
808 #endif
809 	if (prot == IPPROTO_IPV6)
810 		ipsec_bpf(m, sav, AF_INET6, ENC_IN|ENC_AFTER);
811 
812 	if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_AFTER)) != 0)
813 		return (error);
814 #endif /* DEV_ENC */
815 	/*
816 	 * See the end of ip6_input for this logic.
817 	 * IPPROTO_IPV[46] case will be processed just like other ones
818 	 */
819 	nest = 0;
820 	nxt = nxt8;
821 	while (nxt != IPPROTO_DONE) {
822 		if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) {
823 			IP6STAT_INC(ip6s_toomanyhdr);
824 			error = EINVAL;
825 			goto bad;
826 		}
827 
828 		/*
829 		 * Protection against faulty packet - there should be
830 		 * more sanity checks in header chain processing.
831 		 */
832 		if (m->m_pkthdr.len < skip) {
833 			IP6STAT_INC(ip6s_tooshort);
834 			in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
835 			error = EINVAL;
836 			goto bad;
837 		}
838 		/*
839 		 * Enforce IPsec policy checking if we are seeing last header.
840 		 * note that we do not visit this with protocols with pcb layer
841 		 * code - like udp/tcp/raw ip.
842 		 */
843 		if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
844 		    ipsec6_in_reject(m, NULL)) {
845 			error = EINVAL;
846 			goto bad;
847 		}
848 		nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &skip, nxt);
849 	}
850 	return 0;
851 bad:
852 	if (m)
853 		m_freem(m);
854 	return error;
855 }
856 
857 void
858 esp6_ctlinput(int cmd, struct sockaddr *sa, void *d)
859 {
860 	struct ip6ctlparam *ip6cp = NULL;
861 	struct mbuf *m = NULL;
862 	struct ip6_hdr *ip6;
863 	int off;
864 
865 	if (sa->sa_family != AF_INET6 ||
866 	    sa->sa_len != sizeof(struct sockaddr_in6))
867 		return;
868 	if ((unsigned)cmd >= PRC_NCMDS)
869 		return;
870 
871 	/* if the parameter is from icmp6, decode it. */
872 	if (d != NULL) {
873 		ip6cp = (struct ip6ctlparam *)d;
874 		m = ip6cp->ip6c_m;
875 		ip6 = ip6cp->ip6c_ip6;
876 		off = ip6cp->ip6c_off;
877 	} else {
878 		m = NULL;
879 		ip6 = NULL;
880 		off = 0;	/* calm gcc */
881 	}
882 
883 	if (ip6 != NULL) {
884 
885 		struct ip6ctlparam ip6cp1;
886 
887 		/*
888 		 * Notify the error to all possible sockets via pfctlinput2.
889 		 * Since the upper layer information (such as protocol type,
890 		 * source and destination ports) is embedded in the encrypted
891 		 * data and might have been cut, we can't directly call
892 		 * an upper layer ctlinput function. However, the pcbnotify
893 		 * function will consider source and destination addresses
894 		 * as well as the flow info value, and may be able to find
895 		 * some PCB that should be notified.
896 		 * Although pfctlinput2 will call esp6_ctlinput(), there is
897 		 * no possibility of an infinite loop of function calls,
898 		 * because we don't pass the inner IPv6 header.
899 		 */
900 		bzero(&ip6cp1, sizeof(ip6cp1));
901 		ip6cp1.ip6c_src = ip6cp->ip6c_src;
902 		pfctlinput2(cmd, sa, (void *)&ip6cp1);
903 
904 		/*
905 		 * Then go to special cases that need ESP header information.
906 		 * XXX: We assume that when ip6 is non NULL,
907 		 * M and OFF are valid.
908 		 */
909 
910 		if (cmd == PRC_MSGSIZE) {
911 			struct secasvar *sav;
912 			u_int32_t spi;
913 			int valid;
914 
915 			/* check header length before using m_copydata */
916 			if (m->m_pkthdr.len < off + sizeof (struct esp))
917 				return;
918 			m_copydata(m, off + offsetof(struct esp, esp_spi),
919 				sizeof(u_int32_t), (caddr_t) &spi);
920 			/*
921 			 * Check to see if we have a valid SA corresponding to
922 			 * the address in the ICMP message payload.
923 			 */
924 			sav = KEY_ALLOCSA((union sockaddr_union *)sa,
925 					IPPROTO_ESP, spi);
926 			valid = (sav != NULL);
927 			if (sav)
928 				KEY_FREESAV(&sav);
929 
930 			/* XXX Further validation? */
931 
932 			/*
933 			 * Depending on whether the SA is "valid" and
934 			 * routing table size (mtudisc_{hi,lo}wat), we will:
935 			 * - recalcurate the new MTU and create the
936 			 *   corresponding routing entry, or
937 			 * - ignore the MTU change notification.
938 			 */
939 			icmp6_mtudisc_update(ip6cp, valid);
940 		}
941 	} else {
942 		/* we normally notify any pcb here */
943 	}
944 }
945 #endif /* INET6 */
946