Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/netinet6/esp_input.c
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /* $FreeBSD: releng/5.0/sys/netinet6/esp_input.c 102347 2002-08-24 04:48:13Z ume $ */ 2 /* $KAME: esp_input.c,v 1.62 2002/01/07 11:39:57 kjc Exp $ */ 3 4 /* 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the project nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33 /* 34 * RFC1827/2406 Encapsulated Security Payload. 35 */ 36 37 #include "opt_inet.h" 38 #include "opt_inet6.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/mbuf.h> 43 #include <sys/domain.h> 44 #include <sys/protosw.h> 45 #include <sys/socket.h> 46 #include <sys/errno.h> 47 #include <sys/time.h> 48 #include <sys/syslog.h> 49 50 #include <net/if.h> 51 #include <net/route.h> 52 #include <net/netisr.h> 53 #include <machine/cpu.h> 54 55 #include <netinet/in.h> 56 #include <netinet/in_systm.h> 57 #include <netinet/ip.h> 58 #include <netinet/ip_var.h> 59 #include <netinet/in_var.h> 60 #include <netinet/ip_ecn.h> 61 #ifdef INET6 62 #include <netinet6/ip6_ecn.h> 63 #endif 64 65 #ifdef INET6 66 #include <netinet/ip6.h> 67 #include <netinet/in_pcb.h> 68 #include <netinet6/in6_pcb.h> 69 #include <netinet6/ip6_var.h> 70 #include <netinet/icmp6.h> 71 #include <netinet6/ip6protosw.h> 72 #endif 73 74 #include <netinet6/ipsec.h> 75 #ifdef INET6 76 #include <netinet6/ipsec6.h> 77 #endif 78 #include <netinet6/ah.h> 79 #ifdef INET6 80 #include <netinet6/ah6.h> 81 #endif 82 #include <netinet6/esp.h> 83 #ifdef INET6 84 #include <netinet6/esp6.h> 85 #endif 86 #include <netkey/key.h> 87 #include <netkey/keydb.h> 88 #include <netkey/key_debug.h> 89 90 #include <machine/stdarg.h> 91 92 #include <net/net_osdep.h> 93 94 #define IPLEN_FLIPPED 95 96 #define ESPMAXLEN \ 97 (sizeof(struct esp) < sizeof(struct newesp) \ 98 ? sizeof(struct newesp) : sizeof(struct esp)) 99 100 #ifdef INET 101 extern struct protosw inetsw[]; 102 103 void 104 esp4_input(m, off) 105 struct mbuf *m; 106 int off; 107 { 108 struct ip *ip; 109 struct esp *esp; 110 struct esptail esptail; 111 u_int32_t spi; 112 struct secasvar *sav = NULL; 113 size_t taillen; 114 u_int16_t nxt; 115 const struct esp_algorithm *algo; 116 int ivlen; 117 size_t hlen; 118 size_t esplen; 119 int proto; 120 121 /* sanity check for alignment. */ 122 if (off % 4 != 0 || m->m_pkthdr.len % 4 != 0) { 123 ipseclog((LOG_ERR, "IPv4 ESP input: packet alignment problem " 124 "(off=%d, pktlen=%d)\n", off, m->m_pkthdr.len)); 125 ipsecstat.in_inval++; 126 goto bad; 127 } 128 129 if (m->m_len < off + ESPMAXLEN) { 130 m = m_pullup(m, off + ESPMAXLEN); 131 if (!m) { 132 ipseclog((LOG_DEBUG, 133 "IPv4 ESP input: can't pullup in esp4_input\n")); 134 ipsecstat.in_inval++; 135 goto bad; 136 } 137 } 138 139 ip = mtod(m, struct ip *); 140 proto = ip->ip_p; 141 esp = (struct esp *)(((u_int8_t *)ip) + off); 142 #ifdef _IP_VHL 143 hlen = IP_VHL_HL(ip->ip_vhl) << 2; 144 #else 145 hlen = ip->ip_hl << 2; 146 #endif 147 148 /* find the sassoc. */ 149 spi = esp->esp_spi; 150 151 if ((sav = key_allocsa(AF_INET, 152 (caddr_t)&ip->ip_src, (caddr_t)&ip->ip_dst, 153 IPPROTO_ESP, spi)) == 0) { 154 ipseclog((LOG_WARNING, 155 "IPv4 ESP input: no key association found for spi %u\n", 156 (u_int32_t)ntohl(spi))); 157 ipsecstat.in_nosa++; 158 goto bad; 159 } 160 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 161 printf("DP esp4_input called to allocate SA:%p\n", sav)); 162 if (sav->state != SADB_SASTATE_MATURE 163 && sav->state != SADB_SASTATE_DYING) { 164 ipseclog((LOG_DEBUG, 165 "IPv4 ESP input: non-mature/dying SA found for spi %u\n", 166 (u_int32_t)ntohl(spi))); 167 ipsecstat.in_badspi++; 168 goto bad; 169 } 170 algo = esp_algorithm_lookup(sav->alg_enc); 171 if (!algo) { 172 ipseclog((LOG_DEBUG, "IPv4 ESP input: " 173 "unsupported encryption algorithm for spi %u\n", 174 (u_int32_t)ntohl(spi))); 175 ipsecstat.in_badspi++; 176 goto bad; 177 } 178 179 /* check if we have proper ivlen information */ 180 ivlen = sav->ivlen; 181 if (ivlen < 0) { 182 ipseclog((LOG_ERR, "inproper ivlen in IPv4 ESP input: %s %s\n", 183 ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav))); 184 ipsecstat.in_inval++; 185 goto bad; 186 } 187 188 if (!((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay 189 && (sav->alg_auth && sav->key_auth))) 190 goto noreplaycheck; 191 192 if (sav->alg_auth == SADB_X_AALG_NULL || 193 sav->alg_auth == SADB_AALG_NONE) 194 goto noreplaycheck; 195 196 /* 197 * check for sequence number. 198 */ 199 if (ipsec_chkreplay(ntohl(((struct newesp *)esp)->esp_seq), sav)) 200 ; /* okey */ 201 else { 202 ipsecstat.in_espreplay++; 203 ipseclog((LOG_WARNING, 204 "replay packet in IPv4 ESP input: %s %s\n", 205 ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav))); 206 goto bad; 207 } 208 209 /* check ICV */ 210 { 211 u_char sum0[AH_MAXSUMSIZE]; 212 u_char sum[AH_MAXSUMSIZE]; 213 const struct ah_algorithm *sumalgo; 214 size_t siz; 215 216 sumalgo = ah_algorithm_lookup(sav->alg_auth); 217 if (!sumalgo) 218 goto noreplaycheck; 219 siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1)); 220 if (m->m_pkthdr.len < off + ESPMAXLEN + siz) { 221 ipsecstat.in_inval++; 222 goto bad; 223 } 224 if (AH_MAXSUMSIZE < siz) { 225 ipseclog((LOG_DEBUG, 226 "internal error: AH_MAXSUMSIZE must be larger than %lu\n", 227 (u_long)siz)); 228 ipsecstat.in_inval++; 229 goto bad; 230 } 231 232 m_copydata(m, m->m_pkthdr.len - siz, siz, &sum0[0]); 233 234 if (esp_auth(m, off, m->m_pkthdr.len - off - siz, sav, sum)) { 235 ipseclog((LOG_WARNING, "auth fail in IPv4 ESP input: %s %s\n", 236 ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav))); 237 ipsecstat.in_espauthfail++; 238 goto bad; 239 } 240 241 if (bcmp(sum0, sum, siz) != 0) { 242 ipseclog((LOG_WARNING, "auth fail in IPv4 ESP input: %s %s\n", 243 ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav))); 244 ipsecstat.in_espauthfail++; 245 goto bad; 246 } 247 248 /* strip off the authentication data */ 249 m_adj(m, -siz); 250 ip = mtod(m, struct ip *); 251 #ifdef IPLEN_FLIPPED 252 ip->ip_len = ip->ip_len - siz; 253 #else 254 ip->ip_len = htons(ntohs(ip->ip_len) - siz); 255 #endif 256 m->m_flags |= M_AUTHIPDGM; 257 ipsecstat.in_espauthsucc++; 258 } 259 260 /* 261 * update sequence number. 262 */ 263 if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) { 264 if (ipsec_updatereplay(ntohl(((struct newesp *)esp)->esp_seq), sav)) { 265 ipsecstat.in_espreplay++; 266 goto bad; 267 } 268 } 269 270 noreplaycheck: 271 272 /* process main esp header. */ 273 if (sav->flags & SADB_X_EXT_OLD) { 274 /* RFC 1827 */ 275 esplen = sizeof(struct esp); 276 } else { 277 /* RFC 2406 */ 278 if (sav->flags & SADB_X_EXT_DERIV) 279 esplen = sizeof(struct esp); 280 else 281 esplen = sizeof(struct newesp); 282 } 283 284 if (m->m_pkthdr.len < off + esplen + ivlen + sizeof(esptail)) { 285 ipseclog((LOG_WARNING, 286 "IPv4 ESP input: packet too short\n")); 287 ipsecstat.in_inval++; 288 goto bad; 289 } 290 291 if (m->m_len < off + esplen + ivlen) { 292 m = m_pullup(m, off + esplen + ivlen); 293 if (!m) { 294 ipseclog((LOG_DEBUG, 295 "IPv4 ESP input: can't pullup in esp4_input\n")); 296 ipsecstat.in_inval++; 297 goto bad; 298 } 299 } 300 301 /* 302 * pre-compute and cache intermediate key 303 */ 304 if (esp_schedule(algo, sav) != 0) { 305 ipsecstat.in_inval++; 306 goto bad; 307 } 308 309 /* 310 * decrypt the packet. 311 */ 312 if (!algo->decrypt) 313 panic("internal error: no decrypt function"); 314 if ((*algo->decrypt)(m, off, sav, algo, ivlen)) { 315 /* m is already freed */ 316 m = NULL; 317 ipseclog((LOG_ERR, "decrypt fail in IPv4 ESP input: %s\n", 318 ipsec_logsastr(sav))); 319 ipsecstat.in_inval++; 320 goto bad; 321 } 322 ipsecstat.in_esphist[sav->alg_enc]++; 323 324 m->m_flags |= M_DECRYPTED; 325 326 /* 327 * find the trailer of the ESP. 328 */ 329 m_copydata(m, m->m_pkthdr.len - sizeof(esptail), sizeof(esptail), 330 (caddr_t)&esptail); 331 nxt = esptail.esp_nxt; 332 taillen = esptail.esp_padlen + sizeof(esptail); 333 334 if (m->m_pkthdr.len < taillen 335 || m->m_pkthdr.len - taillen < hlen) { /* ? */ 336 ipseclog((LOG_WARNING, 337 "bad pad length in IPv4 ESP input: %s %s\n", 338 ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav))); 339 ipsecstat.in_inval++; 340 goto bad; 341 } 342 343 /* strip off the trailing pad area. */ 344 m_adj(m, -taillen); 345 346 #ifdef IPLEN_FLIPPED 347 ip->ip_len = ip->ip_len - taillen; 348 #else 349 ip->ip_len = htons(ntohs(ip->ip_len) - taillen); 350 #endif 351 352 /* was it transmitted over the IPsec tunnel SA? */ 353 if (ipsec4_tunnel_validate(m, off + esplen + ivlen, nxt, sav)) { 354 /* 355 * strip off all the headers that precedes ESP header. 356 * IP4 xx ESP IP4' payload -> IP4' payload 357 * 358 * XXX more sanity checks 359 * XXX relationship with gif? 360 */ 361 u_int8_t tos; 362 363 tos = ip->ip_tos; 364 m_adj(m, off + esplen + ivlen); 365 if (m->m_len < sizeof(*ip)) { 366 m = m_pullup(m, sizeof(*ip)); 367 if (!m) { 368 ipsecstat.in_inval++; 369 goto bad; 370 } 371 } 372 ip = mtod(m, struct ip *); 373 /* ECN consideration. */ 374 ip_ecn_egress(ip4_ipsec_ecn, &tos, &ip->ip_tos); 375 if (!key_checktunnelsanity(sav, AF_INET, 376 (caddr_t)&ip->ip_src, (caddr_t)&ip->ip_dst)) { 377 ipseclog((LOG_ERR, "ipsec tunnel address mismatch " 378 "in IPv4 ESP input: %s %s\n", 379 ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav))); 380 ipsecstat.in_inval++; 381 goto bad; 382 } 383 384 key_sa_recordxfer(sav, m); 385 if (ipsec_addhist(m, IPPROTO_ESP, spi) != 0 || 386 ipsec_addhist(m, IPPROTO_IPV4, 0) != 0) { 387 ipsecstat.in_nomem++; 388 goto bad; 389 } 390 391 if (! IF_HANDOFF(&ipintrq, m, NULL)) { 392 ipsecstat.in_inval++; 393 m = NULL; 394 goto bad; 395 } 396 m = NULL; 397 schednetisr(NETISR_IP); /* can be skipped but to make sure */ 398 nxt = IPPROTO_DONE; 399 } else { 400 /* 401 * strip off ESP header and IV. 402 * even in m_pulldown case, we need to strip off ESP so that 403 * we can always compute checksum for AH correctly. 404 */ 405 size_t stripsiz; 406 407 stripsiz = esplen + ivlen; 408 409 ip = mtod(m, struct ip *); 410 ovbcopy((caddr_t)ip, (caddr_t)(((u_char *)ip) + stripsiz), off); 411 m->m_data += stripsiz; 412 m->m_len -= stripsiz; 413 m->m_pkthdr.len -= stripsiz; 414 415 ip = mtod(m, struct ip *); 416 #ifdef IPLEN_FLIPPED 417 ip->ip_len = ip->ip_len - stripsiz; 418 #else 419 ip->ip_len = htons(ntohs(ip->ip_len) - stripsiz); 420 #endif 421 ip->ip_p = nxt; 422 423 key_sa_recordxfer(sav, m); 424 if (ipsec_addhist(m, IPPROTO_ESP, spi) != 0) { 425 ipsecstat.in_nomem++; 426 goto bad; 427 } 428 429 if (nxt != IPPROTO_DONE) { 430 if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && 431 ipsec4_in_reject(m, NULL)) { 432 ipsecstat.in_polvio++; 433 goto bad; 434 } 435 (*inetsw[ip_protox[nxt]].pr_input)(m, off); 436 } else 437 m_freem(m); 438 m = NULL; 439 } 440 441 if (sav) { 442 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 443 printf("DP esp4_input call free SA:%p\n", sav)); 444 key_freesav(sav); 445 } 446 ipsecstat.in_success++; 447 return; 448 449 bad: 450 if (sav) { 451 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 452 printf("DP esp4_input call free SA:%p\n", sav)); 453 key_freesav(sav); 454 } 455 if (m) 456 m_freem(m); 457 return; 458 } 459 #endif /* INET */ 460 461 #ifdef INET6 462 int 463 esp6_input(mp, offp, proto) 464 struct mbuf **mp; 465 int *offp, proto; 466 { 467 struct mbuf *m = *mp; 468 int off = *offp; 469 struct ip6_hdr *ip6; 470 struct esp *esp; 471 struct esptail esptail; 472 u_int32_t spi; 473 struct secasvar *sav = NULL; 474 size_t taillen; 475 u_int16_t nxt; 476 const struct esp_algorithm *algo; 477 int ivlen; 478 size_t esplen; 479 480 /* sanity check for alignment. */ 481 if (off % 4 != 0 || m->m_pkthdr.len % 4 != 0) { 482 ipseclog((LOG_ERR, "IPv6 ESP input: packet alignment problem " 483 "(off=%d, pktlen=%d)\n", off, m->m_pkthdr.len)); 484 ipsec6stat.in_inval++; 485 goto bad; 486 } 487 488 #ifndef PULLDOWN_TEST 489 IP6_EXTHDR_CHECK(m, off, ESPMAXLEN, IPPROTO_DONE); 490 esp = (struct esp *)(mtod(m, caddr_t) + off); 491 #else 492 IP6_EXTHDR_GET(esp, struct esp *, m, off, ESPMAXLEN); 493 if (esp == NULL) { 494 ipsec6stat.in_inval++; 495 return IPPROTO_DONE; 496 } 497 #endif 498 ip6 = mtod(m, struct ip6_hdr *); 499 500 if (ntohs(ip6->ip6_plen) == 0) { 501 ipseclog((LOG_ERR, "IPv6 ESP input: " 502 "ESP with IPv6 jumbogram is not supported.\n")); 503 ipsec6stat.in_inval++; 504 goto bad; 505 } 506 507 /* find the sassoc. */ 508 spi = esp->esp_spi; 509 510 if ((sav = key_allocsa(AF_INET6, 511 (caddr_t)&ip6->ip6_src, (caddr_t)&ip6->ip6_dst, 512 IPPROTO_ESP, spi)) == 0) { 513 ipseclog((LOG_WARNING, 514 "IPv6 ESP input: no key association found for spi %u\n", 515 (u_int32_t)ntohl(spi))); 516 ipsec6stat.in_nosa++; 517 goto bad; 518 } 519 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 520 printf("DP esp6_input called to allocate SA:%p\n", sav)); 521 if (sav->state != SADB_SASTATE_MATURE 522 && sav->state != SADB_SASTATE_DYING) { 523 ipseclog((LOG_DEBUG, 524 "IPv6 ESP input: non-mature/dying SA found for spi %u\n", 525 (u_int32_t)ntohl(spi))); 526 ipsec6stat.in_badspi++; 527 goto bad; 528 } 529 algo = esp_algorithm_lookup(sav->alg_enc); 530 if (!algo) { 531 ipseclog((LOG_DEBUG, "IPv6 ESP input: " 532 "unsupported encryption algorithm for spi %u\n", 533 (u_int32_t)ntohl(spi))); 534 ipsec6stat.in_badspi++; 535 goto bad; 536 } 537 538 /* check if we have proper ivlen information */ 539 ivlen = sav->ivlen; 540 if (ivlen < 0) { 541 ipseclog((LOG_ERR, "inproper ivlen in IPv6 ESP input: %s %s\n", 542 ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav))); 543 ipsec6stat.in_badspi++; 544 goto bad; 545 } 546 547 if (!((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay 548 && (sav->alg_auth && sav->key_auth))) 549 goto noreplaycheck; 550 551 if (sav->alg_auth == SADB_X_AALG_NULL || 552 sav->alg_auth == SADB_AALG_NONE) 553 goto noreplaycheck; 554 555 /* 556 * check for sequence number. 557 */ 558 if (ipsec_chkreplay(ntohl(((struct newesp *)esp)->esp_seq), sav)) 559 ; /* okey */ 560 else { 561 ipsec6stat.in_espreplay++; 562 ipseclog((LOG_WARNING, 563 "replay packet in IPv6 ESP input: %s %s\n", 564 ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav))); 565 goto bad; 566 } 567 568 /* check ICV */ 569 { 570 u_char sum0[AH_MAXSUMSIZE]; 571 u_char sum[AH_MAXSUMSIZE]; 572 const struct ah_algorithm *sumalgo; 573 size_t siz; 574 575 sumalgo = ah_algorithm_lookup(sav->alg_auth); 576 if (!sumalgo) 577 goto noreplaycheck; 578 siz = (((*sumalgo->sumsiz)(sav) + 3) & ~(4 - 1)); 579 if (m->m_pkthdr.len < off + ESPMAXLEN + siz) { 580 ipsecstat.in_inval++; 581 goto bad; 582 } 583 if (AH_MAXSUMSIZE < siz) { 584 ipseclog((LOG_DEBUG, 585 "internal error: AH_MAXSUMSIZE must be larger than %lu\n", 586 (u_long)siz)); 587 ipsec6stat.in_inval++; 588 goto bad; 589 } 590 591 m_copydata(m, m->m_pkthdr.len - siz, siz, &sum0[0]); 592 593 if (esp_auth(m, off, m->m_pkthdr.len - off - siz, sav, sum)) { 594 ipseclog((LOG_WARNING, "auth fail in IPv6 ESP input: %s %s\n", 595 ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav))); 596 ipsec6stat.in_espauthfail++; 597 goto bad; 598 } 599 600 if (bcmp(sum0, sum, siz) != 0) { 601 ipseclog((LOG_WARNING, "auth fail in IPv6 ESP input: %s %s\n", 602 ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav))); 603 ipsec6stat.in_espauthfail++; 604 goto bad; 605 } 606 607 /* strip off the authentication data */ 608 m_adj(m, -siz); 609 ip6 = mtod(m, struct ip6_hdr *); 610 ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) - siz); 611 612 m->m_flags |= M_AUTHIPDGM; 613 ipsec6stat.in_espauthsucc++; 614 } 615 616 /* 617 * update sequence number. 618 */ 619 if ((sav->flags & SADB_X_EXT_OLD) == 0 && sav->replay) { 620 if (ipsec_updatereplay(ntohl(((struct newesp *)esp)->esp_seq), sav)) { 621 ipsec6stat.in_espreplay++; 622 goto bad; 623 } 624 } 625 626 noreplaycheck: 627 628 /* process main esp header. */ 629 if (sav->flags & SADB_X_EXT_OLD) { 630 /* RFC 1827 */ 631 esplen = sizeof(struct esp); 632 } else { 633 /* RFC 2406 */ 634 if (sav->flags & SADB_X_EXT_DERIV) 635 esplen = sizeof(struct esp); 636 else 637 esplen = sizeof(struct newesp); 638 } 639 640 if (m->m_pkthdr.len < off + esplen + ivlen + sizeof(esptail)) { 641 ipseclog((LOG_WARNING, 642 "IPv6 ESP input: packet too short\n")); 643 ipsec6stat.in_inval++; 644 goto bad; 645 } 646 647 #ifndef PULLDOWN_TEST 648 IP6_EXTHDR_CHECK(m, off, esplen + ivlen, IPPROTO_DONE); /* XXX */ 649 #else 650 IP6_EXTHDR_GET(esp, struct esp *, m, off, esplen + ivlen); 651 if (esp == NULL) { 652 ipsec6stat.in_inval++; 653 m = NULL; 654 goto bad; 655 } 656 #endif 657 ip6 = mtod(m, struct ip6_hdr *); /* set it again just in case */ 658 659 /* 660 * pre-compute and cache intermediate key 661 */ 662 if (esp_schedule(algo, sav) != 0) { 663 ipsec6stat.in_inval++; 664 goto bad; 665 } 666 667 /* 668 * decrypt the packet. 669 */ 670 if (!algo->decrypt) 671 panic("internal error: no decrypt function"); 672 if ((*algo->decrypt)(m, off, sav, algo, ivlen)) { 673 /* m is already freed */ 674 m = NULL; 675 ipseclog((LOG_ERR, "decrypt fail in IPv6 ESP input: %s\n", 676 ipsec_logsastr(sav))); 677 ipsec6stat.in_inval++; 678 goto bad; 679 } 680 ipsec6stat.in_esphist[sav->alg_enc]++; 681 682 m->m_flags |= M_DECRYPTED; 683 684 /* 685 * find the trailer of the ESP. 686 */ 687 m_copydata(m, m->m_pkthdr.len - sizeof(esptail), sizeof(esptail), 688 (caddr_t)&esptail); 689 nxt = esptail.esp_nxt; 690 taillen = esptail.esp_padlen + sizeof(esptail); 691 692 if (m->m_pkthdr.len < taillen 693 || m->m_pkthdr.len - taillen < sizeof(struct ip6_hdr)) { /* ? */ 694 ipseclog((LOG_WARNING, 695 "bad pad length in IPv6 ESP input: %s %s\n", 696 ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav))); 697 ipsec6stat.in_inval++; 698 goto bad; 699 } 700 701 /* strip off the trailing pad area. */ 702 m_adj(m, -taillen); 703 704 ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) - taillen); 705 706 /* was it transmitted over the IPsec tunnel SA? */ 707 if (ipsec6_tunnel_validate(m, off + esplen + ivlen, nxt, sav)) { 708 /* 709 * strip off all the headers that precedes ESP header. 710 * IP6 xx ESP IP6' payload -> IP6' payload 711 * 712 * XXX more sanity checks 713 * XXX relationship with gif? 714 */ 715 u_int32_t flowinfo; /* net endian */ 716 flowinfo = ip6->ip6_flow; 717 m_adj(m, off + esplen + ivlen); 718 if (m->m_len < sizeof(*ip6)) { 719 #ifndef PULLDOWN_TEST 720 /* 721 * m_pullup is prohibited in KAME IPv6 input processing 722 * but there's no other way! 723 */ 724 #else 725 /* okay to pullup in m_pulldown style */ 726 #endif 727 m = m_pullup(m, sizeof(*ip6)); 728 if (!m) { 729 ipsec6stat.in_inval++; 730 goto bad; 731 } 732 } 733 ip6 = mtod(m, struct ip6_hdr *); 734 /* ECN consideration. */ 735 ip6_ecn_egress(ip6_ipsec_ecn, &flowinfo, &ip6->ip6_flow); 736 if (!key_checktunnelsanity(sav, AF_INET6, 737 (caddr_t)&ip6->ip6_src, (caddr_t)&ip6->ip6_dst)) { 738 ipseclog((LOG_ERR, "ipsec tunnel address mismatch " 739 "in IPv6 ESP input: %s %s\n", 740 ipsec6_logpacketstr(ip6, spi), 741 ipsec_logsastr(sav))); 742 ipsec6stat.in_inval++; 743 goto bad; 744 } 745 746 key_sa_recordxfer(sav, m); 747 if (ipsec_addhist(m, IPPROTO_ESP, spi) != 0 || 748 ipsec_addhist(m, IPPROTO_IPV6, 0) != 0) { 749 ipsec6stat.in_nomem++; 750 goto bad; 751 } 752 753 if (! IF_HANDOFF(&ip6intrq, m, NULL)) { 754 ipsec6stat.in_inval++; 755 m = NULL; 756 goto bad; 757 } 758 m = NULL; 759 schednetisr(NETISR_IPV6); /* can be skipped but to make sure */ 760 nxt = IPPROTO_DONE; 761 } else { 762 /* 763 * strip off ESP header and IV. 764 * even in m_pulldown case, we need to strip off ESP so that 765 * we can always compute checksum for AH correctly. 766 */ 767 size_t stripsiz; 768 char *prvnxtp; 769 770 /* 771 * Set the next header field of the previous header correctly. 772 */ 773 prvnxtp = ip6_get_prevhdr(m, off); /* XXX */ 774 *prvnxtp = nxt; 775 776 stripsiz = esplen + ivlen; 777 778 ip6 = mtod(m, struct ip6_hdr *); 779 if (m->m_len >= stripsiz + off) { 780 ovbcopy((caddr_t)ip6, ((caddr_t)ip6) + stripsiz, off); 781 m->m_data += stripsiz; 782 m->m_len -= stripsiz; 783 m->m_pkthdr.len -= stripsiz; 784 } else { 785 /* 786 * this comes with no copy if the boundary is on 787 * cluster 788 */ 789 struct mbuf *n; 790 791 n = m_split(m, off, M_DONTWAIT); 792 if (n == NULL) { 793 /* m is retained by m_split */ 794 goto bad; 795 } 796 m_adj(n, stripsiz); 797 m_cat(m, n); 798 /* m_cat does not update m_pkthdr.len */ 799 m->m_pkthdr.len += n->m_pkthdr.len; 800 } 801 802 #ifndef PULLDOWN_TEST 803 /* 804 * KAME requires that the packet to be contiguous on the 805 * mbuf. We need to make that sure. 806 * this kind of code should be avoided. 807 * XXX other conditions to avoid running this part? 808 */ 809 if (m->m_len != m->m_pkthdr.len) { 810 struct mbuf *n = NULL; 811 int maxlen; 812 813 MGETHDR(n, M_DONTWAIT, MT_HEADER); 814 maxlen = MHLEN; 815 if (n) 816 M_COPY_PKTHDR(n, m); 817 if (n && m->m_pkthdr.len > maxlen) { 818 MCLGET(n, M_DONTWAIT); 819 maxlen = MCLBYTES; 820 if ((n->m_flags & M_EXT) == 0) { 821 m_free(n); 822 n = NULL; 823 } 824 } 825 if (!n) { 826 printf("esp6_input: mbuf allocation failed\n"); 827 goto bad; 828 } 829 830 if (m->m_pkthdr.len <= maxlen) { 831 m_copydata(m, 0, m->m_pkthdr.len, mtod(n, caddr_t)); 832 n->m_len = m->m_pkthdr.len; 833 n->m_pkthdr.len = m->m_pkthdr.len; 834 n->m_next = NULL; 835 m_freem(m); 836 } else { 837 m_copydata(m, 0, maxlen, mtod(n, caddr_t)); 838 n->m_len = maxlen; 839 n->m_pkthdr.len = m->m_pkthdr.len; 840 n->m_next = m; 841 m_adj(m, maxlen); 842 m->m_flags &= ~M_PKTHDR; 843 } 844 m = n; 845 } 846 #endif 847 848 ip6 = mtod(m, struct ip6_hdr *); 849 ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) - stripsiz); 850 851 key_sa_recordxfer(sav, m); 852 if (ipsec_addhist(m, IPPROTO_ESP, spi) != 0) { 853 ipsec6stat.in_nomem++; 854 goto bad; 855 } 856 } 857 858 *offp = off; 859 *mp = m; 860 861 if (sav) { 862 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 863 printf("DP esp6_input call free SA:%p\n", sav)); 864 key_freesav(sav); 865 } 866 ipsec6stat.in_success++; 867 return nxt; 868 869 bad: 870 if (sav) { 871 KEYDEBUG(KEYDEBUG_IPSEC_STAMP, 872 printf("DP esp6_input call free SA:%p\n", sav)); 873 key_freesav(sav); 874 } 875 if (m) 876 m_freem(m); 877 return IPPROTO_DONE; 878 } 879 880 void 881 esp6_ctlinput(cmd, sa, d) 882 int cmd; 883 struct sockaddr *sa; 884 void *d; 885 { 886 const struct newesp *espp; 887 struct newesp esp; 888 struct ip6ctlparam *ip6cp = NULL, ip6cp1; 889 struct secasvar *sav; 890 struct ip6_hdr *ip6; 891 struct mbuf *m; 892 int off; 893 struct sockaddr_in6 *sa6_src, *sa6_dst; 894 895 if (sa->sa_family != AF_INET6 || 896 sa->sa_len != sizeof(struct sockaddr_in6)) 897 return; 898 if ((unsigned)cmd >= PRC_NCMDS) 899 return; 900 901 /* if the parameter is from icmp6, decode it. */ 902 if (d != NULL) { 903 ip6cp = (struct ip6ctlparam *)d; 904 m = ip6cp->ip6c_m; 905 ip6 = ip6cp->ip6c_ip6; 906 off = ip6cp->ip6c_off; 907 } else { 908 m = NULL; 909 ip6 = NULL; 910 off = 0; /* calm gcc */ 911 } 912 913 if (ip6) { 914 /* 915 * Notify the error to all possible sockets via pfctlinput2. 916 * Since the upper layer information (such as protocol type, 917 * source and destination ports) is embedded in the encrypted 918 * data and might have been cut, we can't directly call 919 * an upper layer ctlinput function. However, the pcbnotify 920 * function will consider source and destination addresses 921 * as well as the flow info value, and may be able to find 922 * some PCB that should be notified. 923 * Although pfctlinput2 will call esp6_ctlinput(), there is 924 * no possibility of an infinite loop of function calls, 925 * because we don't pass the inner IPv6 header. 926 */ 927 bzero(&ip6cp1, sizeof(ip6cp1)); 928 ip6cp1.ip6c_src = ip6cp->ip6c_src; 929 pfctlinput2(cmd, sa, (void *)&ip6cp1); 930 931 /* 932 * Then go to special cases that need ESP header information. 933 * XXX: We assume that when ip6 is non NULL, 934 * M and OFF are valid. 935 */ 936 937 /* check if we can safely examine src and dst ports */ 938 if (m->m_pkthdr.len < off + sizeof(esp)) 939 return; 940 941 if (m->m_len < off + sizeof(esp)) { 942 /* 943 * this should be rare case, 944 * so we compromise on this copy... 945 */ 946 m_copydata(m, off, sizeof(esp), (caddr_t)&esp); 947 espp = &esp; 948 } else 949 espp = (struct newesp*)(mtod(m, caddr_t) + off); 950 951 if (cmd == PRC_MSGSIZE) { 952 int valid = 0; 953 954 /* 955 * Check to see if we have a valid SA corresponding to 956 * the address in the ICMP message payload. 957 */ 958 sa6_src = ip6cp->ip6c_src; 959 sa6_dst = (struct sockaddr_in6 *)sa; 960 sav = key_allocsa(AF_INET6, 961 (caddr_t)&sa6_src->sin6_addr, 962 (caddr_t)&sa6_dst->sin6_addr, 963 IPPROTO_ESP, espp->esp_spi); 964 if (sav) { 965 if (sav->state == SADB_SASTATE_MATURE || 966 sav->state == SADB_SASTATE_DYING) 967 valid++; 968 key_freesav(sav); 969 } 970 971 /* XXX Further validation? */ 972 973 /* 974 * Depending on the value of "valid" and routing table 975 * size (mtudisc_{hi,lo}wat), we will: 976 * - recalcurate the new MTU and create the 977 * corresponding routing entry, or 978 * - ignore the MTU change notification. 979 */ 980 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid); 981 } 982 } else { 983 /* we normally notify any pcb here */ 984 } 985 } 986 #endif /* INET6 */
Cache object: 94720bd51cd5195dcf225072d587d2b8
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]