1/* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ 2/*- 3 * The authors of this code are John Ioannidis (ji@tla.org), 4 * Angelos D. Keromytis (kermit@csd.uch.gr) and 5 * Niels Provos (provos@physnet.uni-hamburg.de). 6 * 7 * This code was written by John Ioannidis for BSD/OS in Athens, Greece, 8 * in November 1995. 9 * 10 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, 11 * by Angelos D. Keromytis. 12 * 13 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis 14 * and Niels Provos. 15 * 16 * Additional features in 1999 by Angelos D. Keromytis. 17 * 18 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis, 19 * Angelos D. Keromytis and Niels Provos. 20 * Copyright (c) 2001, Angelos D. Keromytis. 21 * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org> 22 * 23 * Permission to use, copy, and modify this software with or without fee 24 * is hereby granted, provided that this entire notice is included in 25 * all copies of any software which is or includes a copy or 26 * modification of this software. 27 * You may use this code under the GNU public license if you so wish. Please 28 * contribute changes back to the authors under this freer than GPL license 29 * so that we may further the use of strong encryption without limitations to 30 * all. 31 * 32 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR 33 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY 34 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE 35 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR 36 * PURPOSE. 37 */ 38 39/* 40 * IPsec input processing. 41 */ 42 43#include <sys/cdefs.h> 44#include "opt_inet.h" 45#include "opt_inet6.h" 46#include "opt_ipsec.h" 47 48#include <sys/param.h> 49#include <sys/systm.h> 50#include <sys/malloc.h> 51#include <sys/mbuf.h> 52#include <sys/domain.h> 53#include <sys/protosw.h> 54#include <sys/socket.h> 55#include <sys/errno.h> 56#include <sys/hhook.h> 57#include <sys/syslog.h> 58 59#include <net/if.h> 60#include <net/if_var.h> 61#include <net/if_enc.h> 62#include <net/if_private.h> 63#include <net/netisr.h> 64#include <net/vnet.h> 65 66#include <netinet/in.h> 67#include <netinet/in_pcb.h> 68#include <netinet/in_systm.h> 69#include <netinet/ip.h> 70#include <netinet/ip_var.h> 71#include <netinet/ip_icmp.h> 72#include <netinet/in_var.h> 73#include <netinet/tcp_var.h> 74 75#include <netinet/ip6.h> 76#ifdef INET6 77#include <netinet6/ip6_var.h> 78#endif 79#include <netinet/in_pcb.h> 80#ifdef INET6 81#include <netinet/icmp6.h> 82#endif 83 84#include <netipsec/ipsec.h> 85#ifdef INET6 86#include <netipsec/ipsec6.h> 87#endif 88#include <netipsec/ipsec_support.h> 89#include <netipsec/ah_var.h> 90#include <netipsec/esp.h> 91#include <netipsec/esp_var.h> 92#include <netipsec/ipcomp_var.h> 93 94#include <netipsec/key.h> 95#include <netipsec/keydb.h> 96#include <netipsec/key_debug.h> 97 98#include <netipsec/xform.h> 99 100#include <machine/in_cksum.h> 101#include <machine/stdarg.h> 102 103#define IPSEC_ISTAT(proto, name) do { \ 104 if ((proto) == IPPROTO_ESP) \ 105 ESPSTAT_INC(esps_##name); \ 106 else if ((proto) == IPPROTO_AH) \ 107 AHSTAT_INC(ahs_##name); \ 108 else \ 109 IPCOMPSTAT_INC(ipcomps_##name); \ 110} while (0) 111 112/* 113 * ipsec_common_input gets called when an IPsec-protected packet 114 * is received by IPv4 or IPv6. Its job is to find the right SA 115 * and call the appropriate transform. The transform callback 116 * takes care of further processing (like ingress filtering). 117 */ 118static int 119ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) 120{ 121 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]); 122 union sockaddr_union dst_address; 123 struct secasvar *sav; 124 uint32_t spi; 125 int error; 126 127 IPSEC_ISTAT(sproto, input); 128 129 IPSEC_ASSERT(m != NULL, ("null packet")); 130 131 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 132 sproto == IPPROTO_IPCOMP, 133 ("unexpected security protocol %u", sproto)); 134 135 if ((sproto == IPPROTO_ESP && !V_esp_enable) || 136 (sproto == IPPROTO_AH && !V_ah_enable) || 137 (sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) { 138 m_freem(m); 139 IPSEC_ISTAT(sproto, pdrops); 140 return EOPNOTSUPP; 141 } 142 143 if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) { 144 m_freem(m); 145 IPSEC_ISTAT(sproto, hdrops); 146 DPRINTF(("%s: packet too small\n", __func__)); 147 return EINVAL; 148 } 149 150 /* Retrieve the SPI from the relevant IPsec header */ 151 if (sproto == IPPROTO_ESP) 152 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi); 153 else if (sproto == IPPROTO_AH) 154 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t), 155 (caddr_t) &spi); 156 else if (sproto == IPPROTO_IPCOMP) { 157 u_int16_t cpi; 158 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t), 159 (caddr_t) &cpi); 160 spi = ntohl(htons(cpi)); 161 } 162 163 /* 164 * Find the SA and (indirectly) call the appropriate 165 * kernel crypto routine. The resulting mbuf chain is a valid 166 * IP packet ready to go through input processing. 167 */ 168 bzero(&dst_address, sizeof (dst_address)); 169 dst_address.sa.sa_family = af; 170 switch (af) { 171#ifdef INET 172 case AF_INET: 173 dst_address.sin.sin_len = sizeof(struct sockaddr_in); 174 m_copydata(m, offsetof(struct ip, ip_dst), 175 sizeof(struct in_addr), 176 (caddr_t) &dst_address.sin.sin_addr); 177 break; 178#endif /* INET */ 179#ifdef INET6 180 case AF_INET6: 181 dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6); 182 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst), 183 sizeof(struct in6_addr), 184 (caddr_t) &dst_address.sin6.sin6_addr); 185 /* We keep addresses in SADB without embedded scope id */ 186 if (IN6_IS_SCOPE_LINKLOCAL(&dst_address.sin6.sin6_addr)) { 187 /* XXX: sa6_recoverscope() */ 188 dst_address.sin6.sin6_scope_id = 189 ntohs(dst_address.sin6.sin6_addr.s6_addr16[1]); 190 dst_address.sin6.sin6_addr.s6_addr16[1] = 0; 191 } 192 break; 193#endif /* INET6 */ 194 default: 195 DPRINTF(("%s: unsupported protocol family %u\n", __func__, af)); 196 m_freem(m); 197 IPSEC_ISTAT(sproto, nopf); 198 return EPFNOSUPPORT; 199 } 200 201 /* NB: only pass dst since key_allocsa follows RFC2401 */ 202 sav = key_allocsa(&dst_address, sproto, spi); 203 if (sav == NULL) { 204 DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n", 205 __func__, ipsec_address(&dst_address, buf, sizeof(buf)), 206 (u_long) ntohl(spi), sproto)); 207 IPSEC_ISTAT(sproto, notdb); 208 m_freem(m); 209 return ENOENT; 210 } 211 212 if (sav->tdb_xform == NULL) { 213 DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n", 214 __func__, ipsec_address(&dst_address, buf, sizeof(buf)), 215 (u_long) ntohl(spi), sproto)); 216 IPSEC_ISTAT(sproto, noxform); 217 key_freesav(&sav); 218 m_freem(m); 219 return ENXIO; 220 } 221 222 /* 223 * Call appropriate transform and return -- callback takes care of 224 * everything else. 225 */ 226 error = (*sav->tdb_xform->xf_input)(m, sav, skip, protoff); 227 return (error); 228} 229 230#ifdef INET 231/* 232 * IPSEC_INPUT() method implementation for IPv4. 233 * 0 - Permitted by inbound security policy for further processing. 234 * EACCES - Forbidden by inbound security policy. 235 * EINPROGRESS - consumed by IPsec. 236 */ 237int 238ipsec4_input(struct mbuf *m, int offset, int proto) 239{ 240 241 switch (proto) { 242 case IPPROTO_AH: 243 case IPPROTO_ESP: 244 case IPPROTO_IPCOMP: 245 /* Do inbound IPsec processing for AH/ESP/IPCOMP */ 246 ipsec_common_input(m, offset, 247 offsetof(struct ip, ip_p), AF_INET, proto); 248 return (EINPROGRESS); /* mbuf consumed by IPsec */ 249 default: 250 /* 251 * Protocols with further headers get their IPsec treatment 252 * within the protocol specific processing. 253 */ 254 switch (proto) { 255 case IPPROTO_ICMP: 256 case IPPROTO_IGMP: 257 case IPPROTO_IPV4: 258 case IPPROTO_IPV6: 259 case IPPROTO_RSVP: 260 case IPPROTO_GRE: 261 case IPPROTO_MOBILE: 262 case IPPROTO_ETHERIP: 263 case IPPROTO_PIM: 264 case IPPROTO_SCTP: 265 break; 266 default: 267 return (0); 268 } 269 }; 270 /* 271 * Enforce IPsec policy checking if we are seeing last header. 272 */ 273 if (ipsec4_in_reject(m, NULL) != 0) { 274 /* Forbidden by inbound security policy */ 275 m_freem(m); 276 return (EACCES); 277 } 278 return (0); 279} 280 281int 282ipsec4_ctlinput(ipsec_ctlinput_param_t param) 283{ 284 struct icmp *icp = param.icmp; 285 struct ip *ip = &icp->icmp_ip; 286 struct sockaddr_in icmpsrc = { 287 .sin_len = sizeof(struct sockaddr_in), 288 .sin_family = AF_INET, 289 .sin_addr = ip->ip_dst, 290 }; 291 struct in_conninfo inc; 292 struct secasvar *sav; 293 uint32_t pmtu, spi; 294 uint32_t max_pmtu; 295 uint8_t proto; 296 297 pmtu = ntohs(icp->icmp_nextmtu); 298 299 if (pmtu < V_ip4_ipsec_min_pmtu) 300 return (EINVAL); 301 302 proto = ip->ip_p; 303 if (proto != IPPROTO_ESP && proto != IPPROTO_AH && 304 proto != IPPROTO_IPCOMP) 305 return (EINVAL); 306 307 memcpy(&spi, (caddr_t)ip + (ip->ip_hl << 2), sizeof(spi)); 308 sav = key_allocsa((union sockaddr_union *)&icmpsrc, proto, spi); 309 if (sav == NULL) 310 return (ENOENT); 311 312 key_freesav(&sav); 313 314 memset(&inc, 0, sizeof(inc)); 315 inc.inc_faddr = ip->ip_dst; 316 317 /* Update pmtu only if its smaller than the current one. */ 318 max_pmtu = tcp_hc_getmtu(&inc); 319 if (max_pmtu == 0) 320 max_pmtu = tcp_maxmtu(&inc, NULL); 321 322 if (pmtu < max_pmtu) 323 tcp_hc_updatemtu(&inc, pmtu); 324 325 return (0); 326} 327 328/* 329 * IPsec input callback for INET protocols. 330 * This routine is called as the transform callback. 331 * Takes care of filtering and other sanity checks on 332 * the processed packet. 333 */ 334int 335ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, 336 int protoff) 337{ 338 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]); 339 struct epoch_tracker et; 340 struct ipsec_ctx_data ctx; 341 struct xform_history *xh; 342 struct secasindex *saidx; 343 struct m_tag *mtag; 344 struct ip *ip; 345 int error, prot, af, sproto, isr_prot; 346 347 IPSEC_ASSERT(sav != NULL, ("null SA")); 348 IPSEC_ASSERT(sav->sah != NULL, ("null SAH")); 349 saidx = &sav->sah->saidx; 350 af = saidx->dst.sa.sa_family; 351 IPSEC_ASSERT(af == AF_INET, ("unexpected af %u", af)); 352 sproto = saidx->proto; 353 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 354 sproto == IPPROTO_IPCOMP, 355 ("unexpected security protocol %u", sproto)); 356 357 if (skip != 0) { 358 /* 359 * Fix IPv4 header 360 */ 361 if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) { 362 DPRINTF(("%s: processing failed for SA %s/%08lx\n", 363 __func__, ipsec_address(&sav->sah->saidx.dst, 364 buf, sizeof(buf)), (u_long) ntohl(sav->spi))); 365 IPSEC_ISTAT(sproto, hdrops); 366 error = ENOBUFS; 367 goto bad_noepoch; 368 } 369 370 ip = mtod(m, struct ip *); 371 ip->ip_len = htons(m->m_pkthdr.len); 372 ip->ip_sum = 0; 373 ip->ip_sum = in_cksum(m, ip->ip_hl << 2); 374 } else { 375 ip = mtod(m, struct ip *); 376 } 377 prot = ip->ip_p; 378 /* 379 * Check that we have NAT-T enabled and apply transport mode 380 * decapsulation NAT procedure (RFC3948). 381 * Do this before invoking into the PFIL. 382 */ 383 if (sav->natt != NULL && 384 (prot == IPPROTO_UDP || prot == IPPROTO_TCP)) 385 udp_ipsec_adjust_cksum(m, sav, prot, skip); 386 387 /* 388 * Needed for ipsec_run_hooks and netisr_queue_src 389 */ 390 NET_EPOCH_ENTER(et); 391 392 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, AF_INET, IPSEC_ENC_BEFORE); 393 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) 394 goto bad; 395 ip = mtod(m, struct ip *); /* update pointer */ 396 397 /* IP-in-IP encapsulation */ 398 if (prot == IPPROTO_IPIP && 399 saidx->mode != IPSEC_MODE_TRANSPORT) { 400 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { 401 IPSEC_ISTAT(sproto, hdrops); 402 error = EINVAL; 403 goto bad; 404 } 405 /* enc0: strip outer IPv4 header */ 406 m_striphdr(m, 0, ip->ip_hl << 2); 407 } 408#ifdef INET6 409 /* IPv6-in-IP encapsulation. */ 410 else if (prot == IPPROTO_IPV6 && 411 saidx->mode != IPSEC_MODE_TRANSPORT) { 412 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { 413 IPSEC_ISTAT(sproto, hdrops); 414 error = EINVAL; 415 goto bad; 416 } 417 /* enc0: strip IPv4 header, keep IPv6 header only */ 418 m_striphdr(m, 0, ip->ip_hl << 2); 419 } 420#endif /* INET6 */ 421 else if (prot != IPPROTO_IPV6 && saidx->mode == IPSEC_MODE_ANY) { 422 /* 423 * When mode is wildcard, inner protocol is IPv6 and 424 * we have no INET6 support - drop this packet a bit later. 425 * In other cases we assume transport mode. Set prot to 426 * correctly choose netisr. 427 */ 428 prot = IPPROTO_IPIP; 429 } 430 431 /* 432 * Record what we've done to the packet (under what SA it was 433 * processed). 434 */ 435 if (sproto != IPPROTO_IPCOMP) { 436 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 437 sizeof(struct xform_history), M_NOWAIT); 438 if (mtag == NULL) { 439 DPRINTF(("%s: failed to get tag\n", __func__)); 440 IPSEC_ISTAT(sproto, hdrops); 441 error = ENOMEM; 442 goto bad; 443 } 444 445 xh = (struct xform_history *)(mtag + 1); 446 bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len); 447 xh->spi = sav->spi; 448 xh->proto = sproto; 449 xh->mode = saidx->mode; 450 m_tag_prepend(m, mtag); 451 } 452 453 key_sa_recordxfer(sav, m); /* record data transfer */ 454 455 /* 456 * In transport mode requeue decrypted mbuf back to IPv4 protocol 457 * handler. This is necessary to correctly expose rcvif. 458 */ 459 if (saidx->mode == IPSEC_MODE_TRANSPORT) 460 prot = IPPROTO_IPIP; 461 /* 462 * Re-dispatch via software interrupt. 463 */ 464 switch (prot) { 465 case IPPROTO_IPIP: 466 isr_prot = NETISR_IP; 467 af = AF_INET; 468 break; 469#ifdef INET6 470 case IPPROTO_IPV6: 471 isr_prot = NETISR_IPV6; 472 af = AF_INET6; 473 break; 474#endif 475 default: 476 DPRINTF(("%s: cannot handle inner ip proto %d\n", 477 __func__, prot)); 478 IPSEC_ISTAT(sproto, nopf); 479 error = EPFNOSUPPORT; 480 goto bad; 481 } 482 483 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER); 484 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) 485 goto bad; 486 487 /* Handle virtual tunneling interfaces */ 488 if (saidx->mode == IPSEC_MODE_TUNNEL) 489 error = ipsec_if_input(m, sav, af); 490 if (error == 0) { 491 error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m); 492 if (error) { 493 IPSEC_ISTAT(sproto, qfull); 494 DPRINTF(("%s: queue full; proto %u packet dropped\n", 495 __func__, sproto)); 496 } 497 } 498 NET_EPOCH_EXIT(et); 499 key_freesav(&sav); 500 return (error); 501bad: 502 NET_EPOCH_EXIT(et); 503bad_noepoch: 504 key_freesav(&sav); 505 if (m != NULL) 506 m_freem(m); 507 return (error); 508} 509#endif /* INET */ 510 511#ifdef INET6 512static bool 513ipsec6_lasthdr(int proto) 514{ 515 516 switch (proto) { 517 case IPPROTO_IPV4: 518 case IPPROTO_IPV6: 519 case IPPROTO_GRE: 520 case IPPROTO_ICMPV6: 521 case IPPROTO_ETHERIP: 522 case IPPROTO_PIM: 523 case IPPROTO_SCTP: 524 return (true); 525 default: 526 return (false); 527 }; 528} 529 530/* 531 * IPSEC_INPUT() method implementation for IPv6. 532 * 0 - Permitted by inbound security policy for further processing. 533 * EACCES - Forbidden by inbound security policy. 534 * EINPROGRESS - consumed by IPsec. 535 */ 536int 537ipsec6_input(struct mbuf *m, int offset, int proto) 538{ 539 540 switch (proto) { 541 case IPPROTO_AH: 542 case IPPROTO_ESP: 543 case IPPROTO_IPCOMP: 544 /* Do inbound IPsec processing for AH/ESP/IPCOMP */ 545 ipsec_common_input(m, offset, 546 offsetof(struct ip6_hdr, ip6_nxt), AF_INET6, proto); 547 return (EINPROGRESS); /* mbuf consumed by IPsec */ 548 default: 549 /* 550 * Protocols with further headers get their IPsec treatment 551 * within the protocol specific processing. 552 */ 553 if (!ipsec6_lasthdr(proto)) 554 return (0); 555 /* FALLTHROUGH */ 556 }; 557 /* 558 * Enforce IPsec policy checking if we are seeing last header. 559 */ 560 if (ipsec6_in_reject(m, NULL) != 0) { 561 /* Forbidden by inbound security policy */ 562 m_freem(m); 563 return (EACCES); 564 } 565 return (0); 566} 567 568int 569ipsec6_ctlinput(ipsec_ctlinput_param_t param) 570{ 571 return (0); 572} 573 574extern ipproto_input_t *ip6_protox[]; 575 576/* 577 * IPsec input callback, called by the transform callback. Takes care of 578 * filtering and other sanity checks on the processed packet. 579 */ 580int 581ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, 582 int protoff) 583{ 584 IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]); 585 struct epoch_tracker et; 586 struct ipsec_ctx_data ctx; 587 struct xform_history *xh; 588 struct secasindex *saidx; 589 struct ip6_hdr *ip6; 590 struct m_tag *mtag; 591 int prot, af, sproto; 592 int nxt, isr_prot; 593 int error, nest; 594 uint8_t nxt8; 595 596 IPSEC_ASSERT(sav != NULL, ("null SA")); 597 IPSEC_ASSERT(sav->sah != NULL, ("null SAH")); 598 saidx = &sav->sah->saidx; 599 af = saidx->dst.sa.sa_family; 600 IPSEC_ASSERT(af == AF_INET6, ("unexpected af %u", af)); 601 sproto = saidx->proto; 602 IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH || 603 sproto == IPPROTO_IPCOMP, 604 ("unexpected security protocol %u", sproto)); 605 606 NET_EPOCH_ENTER(et); 607 608 /* Fix IPv6 header */ 609 if (m->m_len < sizeof(struct ip6_hdr) && 610 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) { 611 DPRINTF(("%s: processing failed for SA %s/%08lx\n", 612 __func__, ipsec_address(&sav->sah->saidx.dst, buf, 613 sizeof(buf)), (u_long) ntohl(sav->spi))); 614 615 IPSEC_ISTAT(sproto, hdrops); 616 error = EACCES; 617 goto bad; 618 } 619 620 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_BEFORE); 621 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) 622 goto bad; 623 624 ip6 = mtod(m, struct ip6_hdr *); 625 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr)); 626 627 /* Save protocol */ 628 m_copydata(m, protoff, 1, &nxt8); 629 prot = nxt8; 630 631 /* 632 * Check that we have NAT-T enabled and apply transport mode 633 * decapsulation NAT procedure (RFC3948). 634 * Do this before invoking into the PFIL. 635 */ 636 if (sav->natt != NULL && 637 (prot == IPPROTO_UDP || prot == IPPROTO_TCP)) 638 udp_ipsec_adjust_cksum(m, sav, prot, skip); 639 640 /* IPv6-in-IP encapsulation */ 641 if (prot == IPPROTO_IPV6 && 642 saidx->mode != IPSEC_MODE_TRANSPORT) { 643 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { 644 IPSEC_ISTAT(sproto, hdrops); 645 error = EINVAL; 646 goto bad; 647 } 648 /* ip6n will now contain the inner IPv6 header. */ 649 m_striphdr(m, 0, skip); 650 skip = 0; 651 } 652#ifdef INET 653 /* IP-in-IP encapsulation */ 654 else if (prot == IPPROTO_IPIP && 655 saidx->mode != IPSEC_MODE_TRANSPORT) { 656 if (m->m_pkthdr.len - skip < sizeof(struct ip)) { 657 IPSEC_ISTAT(sproto, hdrops); 658 error = EINVAL; 659 goto bad; 660 } 661 /* ipn will now contain the inner IPv4 header */ 662 m_striphdr(m, 0, skip); 663 skip = 0; 664 } 665#endif /* INET */ 666 else { 667 prot = IPPROTO_IPV6; /* for correct BPF processing */ 668 } 669 670 /* 671 * Record what we've done to the packet (under what SA it was 672 * processed). 673 */ 674 if (sproto != IPPROTO_IPCOMP) { 675 mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE, 676 sizeof(struct xform_history), M_NOWAIT); 677 if (mtag == NULL) { 678 DPRINTF(("%s: failed to get tag\n", __func__)); 679 IPSEC_ISTAT(sproto, hdrops); 680 error = ENOMEM; 681 goto bad; 682 } 683 684 xh = (struct xform_history *)(mtag + 1); 685 bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len); 686 xh->spi = sav->spi; 687 xh->proto = sproto; 688 xh->mode = saidx->mode; 689 m_tag_prepend(m, mtag); 690 } 691 692 key_sa_recordxfer(sav, m); 693 694#ifdef INET 695 if (prot == IPPROTO_IPIP) 696 af = AF_INET; 697 else 698#endif 699 af = AF_INET6; 700 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER); 701 if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0) 702 goto bad; 703 if (skip == 0) { 704 /* 705 * We stripped outer IPv6 header. 706 * Now we should requeue decrypted packet via netisr. 707 */ 708 switch (prot) { 709#ifdef INET 710 case IPPROTO_IPIP: 711 isr_prot = NETISR_IP; 712 break; 713#endif 714 case IPPROTO_IPV6: 715 isr_prot = NETISR_IPV6; 716 break; 717 default: 718 DPRINTF(("%s: cannot handle inner ip proto %d\n", 719 __func__, prot)); 720 IPSEC_ISTAT(sproto, nopf); 721 error = EPFNOSUPPORT; 722 goto bad; 723 } 724 /* Handle virtual tunneling interfaces */ 725 if (saidx->mode == IPSEC_MODE_TUNNEL) 726 error = ipsec_if_input(m, sav, af); 727 if (error == 0) { 728 error = netisr_queue_src(isr_prot, 729 (uintptr_t)sav->spi, m); 730 if (error) { 731 IPSEC_ISTAT(sproto, qfull); 732 DPRINTF(("%s: queue full; proto %u packet" 733 " dropped\n", __func__, sproto)); 734 } 735 } 736 NET_EPOCH_EXIT(et); 737 key_freesav(&sav); 738 return (error); 739 } 740 /* 741 * See the end of ip6_input for this logic. 742 * IPPROTO_IPV[46] case will be processed just like other ones 743 */ 744 nest = 0; 745 nxt = nxt8; 746 while (nxt != IPPROTO_DONE) { 747 if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) { 748 IP6STAT_INC(ip6s_toomanyhdr); 749 error = EINVAL; 750 goto bad; 751 } 752 753 /* 754 * Protection against faulty packet - there should be 755 * more sanity checks in header chain processing. 756 */ 757 if (m->m_pkthdr.len < skip) { 758 IP6STAT_INC(ip6s_tooshort); 759 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); 760 error = EINVAL; 761 goto bad; 762 } 763 /* 764 * Enforce IPsec policy checking if we are seeing last header. 765 * note that we do not visit this with protocols with pcb layer 766 * code - like udp/tcp/raw ip. 767 */ 768 if (ipsec6_lasthdr(nxt) && ipsec6_in_reject(m, NULL)) { 769 error = EINVAL; 770 goto bad; 771 } 772 nxt = ip6_protox[nxt](&m, &skip, nxt); 773 } 774 NET_EPOCH_EXIT(et); 775 key_freesav(&sav); 776 return (0); 777bad: 778 NET_EPOCH_EXIT(et); 779 key_freesav(&sav); 780 if (m) 781 m_freem(m); 782 return (error); 783} 784#endif /* INET6 */ 785